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From the Editor 


m I’s February and Ym writing this, sequestered in my home in New York, Fm able to write this 
B from the s<^litude of a snow-filled landscape, and diat gives time to think and reflect on the 
B course of the technology professionai today. Fve teen able to have some great conversations 
with people both long in this business, and those fairly new to it We're seeing a lot of great changes, 
great thinking and amazing work. At the same time, I fmd some people that are just not seeing the 
evolution taking place. It is one of our goals at MacTech to help people understand tliis evolution 
and how to ensure that you're working with the latest skills and trends to evolve themselves. This 
happens through the content in the magazine and on http;//www.mactech.com, of course. 

Additionally this is happening through the MacTech Conference and MacTech Btiotcamp shows 
that we're running. The first Maclech Conference, for IT and developer professionals took place this 
past November and was a great success. It will go on to be an annual event, and we’re planning the 
next one for this Fall right now. The first MacTech Bootcamp, for techs who primarily spend their 
time in the home user, SOHO and small to medium sized business market, just took place on the 
26th of January. We're always tliinking about ways to evolve how we get people together to have a 
great experience. 

Some of the news that you may have already seen is that MacTech has acquired NSConf in the 
United Slates. The short version of tills simply means tliat well have Steve '"Scotty” Scott leading the 
Developer portion of MacTech Conference, while we continue with the other great content and 
events that make up the show. This includes ways of involving people of all experience levels, and 
exposing people it) technology and practices that will help them grow. 

This month's cover sttiry introduces the nmap network scanner for testing the security of hosts 
on a network. Network scanning is a basic technique used by people prol>ing a network or host 
before an attack, so a,s someone defending those resources, you should be familiar with it. Let 
contributing author Mihalis Tsoukalo.s gide you through using nmap to uncover ilic holes in your 
hosts before other people do. 

Another evolution of sorts comes in the Forni of AppleScript. Frequent MacTech author Jose Cruz 
teaches you all about the Objective-C bridge that’s now available. If you have a legacy of AppleScript 
code, and it happens to need some iipckites, or it needs some new functionality, check out, ""Cocoa- 
Covered AppleScript.” 

The Mac App Store! Another evolution that needs no introduction. It’s here to slay, but is there 
a way to work with it? Or is wiU it be a free-for-all for your users that you so carefully manage? Greg 
Neagle answers all of your questions in, *Mac App Store and the Enterprise.'' 

In addition to the stories mentioned, we have much more, in the form of improving your Ruby 
code for Sys Admins, a retrospective for Consultants and billing practices for consultants. 

Until next month, continue your own evolution and let us know how we can further that! 


Ed Marezak, 
Executive Editor 
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Mac in the Shell 

by Edward Marczak 


Ruby Error 
Handling 

Expecting the worst, 
while still ensuring 
a great experience. 


for errors doesn't continue to the heart of the program, when 
we're actually copying files. What could go wrong? 

Well, what if the file copy fails? “We’re running as root!” you 
say. Even so, you’ll find that things can stilJ fail. What if there's disk 
corruption? What if you’re running this across end-user machines? 
You’ll find that given a large enougli user-base that people do a 
lot of things you don’t expect.. .like marking certain files and 
folders in their home directory as unchangeable. If you’re in an 
environment with multiple System Administrators, you may find 
tliat anotlier administrator did sometliing unexpected, like linking 
one (or more) of the user homes to another volume that isn't 
always mounted. So your code neecLs to be prepared for the worst, 
instead of just crashing. 

The part diat 1 said I’d explain tliis mondi centers on the raise 
coinimind. 



Dealing with errors 


Introduction 

Last month, we continued to kxjk at Ruby as a practic'al way 
for Sys Admins to automate tasks. We ended willi a short program 
tliai copies a fde into every user home directory, Wliile we did a 
basic dieck up font for the root user, we didn’t go beyond that. 
This month, 111 show you how to handle unexpected errors and 
recover in order to keep up a great experience for the end user 

Recap 

Here’s the code we ended up with last month: 

Listing 1: dir^loop.rh 

ih /usr/locaL/binymacruby 

require ^fileutlls" 
require “Pathname*' 

raise "Must run as root" unless Process.uid = 0 

the_file ''/var/messages/uS6r_iiiessage, Dct"* 

user_dir = ARGV[0l 

user_dir = "/Users" if not ARGV[0l 

raise ■‘|t{usar_[lir] is not a directory or doesn't exist" if not 
Dir [tiser_dir] 

Dir,fcireach[user_dir) \ |k| 

the_deEtiiiatlon =" File, join[user_dir, x) 
if (File. directory? (tlie_destinatlon) && 

Pathname .newtthe_destli]ation) .baeename .to_a [0] '.') 

puts "Copying #|the_file] to #{the_destlnation]” 
PileTJtils.cp the_file, the_destinatlon 
end 

1 

We do perfonn some basic error checks: Is the user running 
this as root? Does die directory cxintaining all users actually exisL^ 
You'll notice, tliough, kxiking at the axle^ that pattern of checking 


As a System AdminLstiator, you re very likely dealing witli 
running ctxle that you write, running on .systems that other petjple 
use. The crxle diat you push there has a task, and will affea the 
user (or users) of that system. You may write a small chunk of 
cfxle as a one-off, and push it out with Apple Remote Desktop, or, 
you may be writing Mimething that is to be run repeatedly and 
seat out to a iaige audience (using something like Puppet or 
Casper). The idea of this code is typically to enforce some policy, 
work iiround some hug or to improve the end-user experience. 
l,et’s think alxmt each of those scenarios. 

Enforcing policy comprises a lor of what a Sys Admin has to 
handle. This poii<.y is likely company-wide, and not necessarily set 
by you. For example, there may lie a policy in place to enforce 
screen saver Icx king after a period of no longer than 10 minutes. 
Diere is currently no way to liandle diis purely witli Apple’s 
Managed Preferences, so, you need to write a script to handle this 
.scenario, Tliis is a simple “defaults write.,.” command. But what if 
the end user locks this file and you can't write to it? 

Sometimes, you need to roil out some code in order to work 
around a bug. Most code—in the OS itself or in third-party 
software—lias hugs. Some bugs can be tolerated, but others are 
more severe. Sometimes, you’re completely dependent on the 
vendor to fix the ii^ue, but other times, you as a Sys Admin can 
help your users to work around the issue. As an example, I once 
rolled out a product that after iastillation, it installed itself as a 
Login Item, Tlie hug was that it went a bit haywire at first mn after 
login, but I did need it to run at least once. Tlie solutitm was a 
script that niiide sure tlie third-party stiftware ran at least onc'e, and 
tlien removed it from tlie user’s Login Items, working around an 
issue in a third-party piece of software. ___ 

Finally, you may write a script that helps your end-users 
through some task. As is typical, when a newly imaged machine 
is handed out to an employee, there are typically some setup tasks 
assexiated with the first launch: choosing the right printer, 
asscx'iating to the right SSID and so on. This is all scriptable. Let 
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this script be your triumph, and not your downfall. The person 
may attempt first login when the conditions you expeaed aren’t 
available: they bring their laptop home and login there (despite the 
instructions that first login must happen while on the 
corporate/school network), or they follow directions, but the 
network is having issues. 

Grace 

Tlte common theme in the scenarios just presented Ls that 
things won't always work tlie way you expecL When tiiat happens, 
your cxxle can eitlier crash (Jxxxkkx)!) or, recover gracefully and 
perform some useful action. Perhaps that’s alerting the user. 
Perhaps that’s just reporting an error to a central console or 
automatically logging a help desk ticket. Do whatever is 
appropriate for your environment (and possible at the time). Lei’s 
see how to do this with Ruby, 

As you c'an see From the script we presented last month, the 
raise command raises an error. You may have even made errors 
while practicing with Ruby that cause Ruby to raise an error For 
you. This happens whenever Ruby encounters a situation where it 
just cannot continue. What happens if you tty to cal a method tliat 
doesn’t exist? You can easily see this in action. Recall tliat 
everything in Ruby is an objeci. Objeas iiave methods tliat 
perform actions. Let’s watch one tliat perlbrms as expected. Run 
macidi—^tlie interactive MacRuby environment—and use tlie next 
method on tlie object 1. 

$ maeijrb 

irb(iMin) :001:0> l.nsxt 
-> 2 


That does work as expected. Let’s call a method that doesn’t 
exist for the object 1: 

irb(main):001:0> l.foo 

KoHethodError: undefined method 'foo" for liFlxnma 

Ah! You'll see that Ruby raises an error—specifically, in this 
case, a “NoMethodError”, If this method call were part of a 
program, the run would normally end once it tried to run 
that line. Let’s have a look at the most basic framework for 
how you can save tliis program. Listing 2 shows a short 
program that creates an error and then rescues that error. 

Listing 2: rescu€_me,rb 

#I/usr/local/bin/macruby 

begin 
1 .foo 

rescue NoMethodErrCjr 

puts "caught a NoMethodErTor' 
end 

Running this program simply prints one line: 

$ ./rescue_me.rb 
caught a NoMethodError 

What is significant about this is this is that you can pretty 
much do anything once you catch the error. The best part 
about it is that you’re not leaving an end user with a bad 
experience; not a crashed program, and not filling a 
machine’s logs with crash reports. So how does this work? 

The rescue .statement does the work of capturing an 
error condition. Most importantly, a rescue statement works 
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only in the confines of a block. In Listing 2, we create a 
block with the begin„.rescue,.,eiid construct. Now, let's 
look at the small sample application we’ve been writing. 

The first noticeable weak spot in our application is 
when we attempt to copy the file into place. If the program 
is going to have trouble somewhere, this is it* We need to 
wrap the FOeutilsxp call with a begin*«rescue„*eiid 
block. Added code is in bold: 

puts “Copying #(the_flle) to #|the_destlnationl“ 

begin 

FlleUtlls.cp the_flle. the_destiiifltion 

rescue SystenCallError -> e 

puts "Copy failed1 #{e.message}" 
end 

If this code encounters a file that it can’t copy over, instead 
of crashing, it prints a line like this: 

Copy Failed] Operation not perinltted - copyflXoC) failed 

...and continues operation, Of course, you can think of 
something more appropriate to do, depending on the actual 
severity (Log the problem? Warn the user? Report it to a 
central console?) 

You can see that the FileUtils -cp call is now inside 
of a begin„,rescue block. If there is an error and Ruby 
raises a SystemCallError, the code inside of the rescue 
block is run. (All file-related errors fall under the 
SystemCallError class.) Well rake more details about 
the error passed into a variable named ’e\ 

One thing to note on rescuing errors: while you may be 
rcmpted to, or see code that doesn’t rescue a specific error, 
resist the temptation. Don’t u.se a rescue statement with no 
specific error, thereby catching all errors, Thai gets ^^loppy 
and can just mask larger issues. 

Also, avoid putting Loo many lines of code inside of a 
begin**.rescue block as this makes it much more difficull 
to pin down the actual line triggering the error an providing 
an appropriate rescue action. When an exception is raised, 
control transfers ioimediately to the rescue block, skipping 
the remainder of the statement.s in the begin block. 

Mow do you know what error Ruby will raise for you to 
catch? Sometimes, It’s just good old trial-and-error. More 
directly errors will fall under certain classes, and you can 
often gauge it straight-away Most Ruby books will list error 
classes, or, you can find similar collections on-line. For 
example, here: http://mQcte.ch/except. 

Methods , Functions and Raising 
Errors 

Methods and functions are a little special. First, they 
form their own block, so you don’t need an explicit begin. 
Therefore, a method or function could he defined like this: 


def SomaDivislon 
X = 1 
y = 0 
z = x/y 
rescue 

puts “You tried to divide by zero!" 
end 

Second, you likely don’t want to rescue and save in a 
method or function—particularly in a class. When an 
exception is raised, the exception travels up the call stack 
until it is either handled, or the program throws an error and 
dies. You’ll want to raise your own custom error, and let 
whatever is calling the method trap and handle the 
exception. 

To raise an error on your own, you can simply just use 
the raise command, as seen in Listing 1. To raise your own 
custom exception, you create your own error class. This 
class should inherit from StandardFrror, and doesn't need to 
be more than a stub: 

class Notlnstalled < StandardError 

End 

Ihen, you can raise the exception and pass in a specific 
message: 

raise Notinstalled» "Application not on this disk." 

This exception will need to he caught by whatever is calling 
you r me t hod/fu nc tic n/class. 

Conclusion 

This was a high-level look at raising and handling error 
conditions in Ruby No matter the language, the main thing 
to remember is that things will go wrong. No matter how 
trivial you think the job is, your code should be prepared 
and handle problems gracefully You1l be seeing more of 
this in future Mac in the Shell columns. 

Media of the month: 'fhe Incident, by Big Bucket 
Software. Get this on tOS or Mac OS X in their respective 
App Stores* It’s just great retro-like gaming fun. You deserve 
and need a break every now and then, and this one is great. 

Llntii next month, like I’ve said before, get some more 
Ruby practice in on your own and don’t be afraid to 
experiment! 


\\\\ 
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Introduction 

MacOS X 10.6 brought something new to the scripting 
arena, something that benefits developers and users alike. 
AppleScript, that friendly and easy to use script language, has 
finally gone native. 

In today’s article, we will try to understand what this 
means. We will trace AppleScript’s growtli—from iLs quiet 
beginnings in System 7, to its underused role in Mac OS Classie, 
and to its latest form in Snow Leopard. We will learn the 
benefits of going native, as well as some notable issues. 

Next, we study liow a typical Cocoa class translates itself 
ink) a script objecl:. We look at how said object interacts with 
the Cocoa framework, with scripting additions and with 
scripiable applicatitjos. l.ater on, we go through the steps of 
building a native AppleScript application using the latest Xcode 
suite. 

Readers are expected to be familiar with Xcode and with 
the AppleScript language. 

A Language Grows Up 

AppleScript, as you may know, is a script system that 
comes as part of the Mac OS X filatform. It is noted for its 
natural language syntax, weak dynamic typing, extensibility, 
and .some support of object-oriented concepts. 

AppleScript started life as the “de facto” script system on 
System 7 Pro. There it languished, underused and 
unappreciated, partly due to the lack of useful scriptable 
applications. It also suffered from the presence of HyperCard, 
a popular and well-established product, whose language, 
HyperTalk, uses a similar syntax. 

But the appearance ol' a scriptable Tinder gave AppleScript 
a credible boost. Then a scriptable version of QuarkXpress 
made AppleScript popular with die desktop publishing crowd. 
Another product, FaceSpan, gave AppleScript the means to 
display a user interface. Also, a wide range of scripting 
additions allowed AppleScTipt to do tasks not possible with just 
its core language. 

MacOS X gave AppleScript some new ftwtholds, thanks to 
a couple of key technologies. First, there was Automator. This 
utility eases the task of writing a script (now called a tvork/Iow). 
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It spares average users from the trouble of searching and 
studying every scriptable app. All possible actions are witliin 
rcrach, ready to be added to ilie workflow. 

Tlien tliere was AppleScript Studio. This one allows 
advanced users to create applications using their AppleScript 
skills and Xcode. Users get to create complex interfaces and 
assign each interface widget with the desired action. 
Additionally, they get to reuse their existing library of scripts 
and scripting additions. In many ways, AppleScript Studio took 
over the role of the now defunct FaceSpan. 

One more push 

Yet, AppleScript still has a few hurdles to overcome, tt is 
still an inlerpmed system. Though scripts are compiled into 
byte code, they still run one line at a time. 'ITiis means 
AppleScript scripts and ajijps are slower when compared to 
native apps. 

Apps built with AppleScript Studio use only a limited 
subset of Cocoa classes. Most of" the classes are interface 
widgets with a restricted set of properties and actions. Classes 
like NSData and NS St ring are not available to these apps. 

These hurdles cease to be when Mac (XS X 10.6 introduced 
the AppleScriptObjC code bridge. 

Crossing the Bridge 

AppleScriptObjC, ASOC for short, is a bridge framework. It 
lets AppleScript extend and use classes dcTmed in Cocoa 
frameworks like AppKit, Foundation, and Core Data. The 
bridge framework sits inside the root directory 
/ System/Library/Frameworks. At the lime of writing, 
only Xcode can work with the ASOC framework. However, it is 
possible for third-party fDEs like Eclipse to use the same 
framework in the near future. 

Also, applications that use ASOC can run only on Mac OS 
X 10.6 and newer. To support earlier versions of Mac OS X, 
those same applications will have to l>e rewritten and rebuild 
with AppleScript Studio. 
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The script object — 

All Objective-C (ObjC) classes are rendered in ASOC code as 
script objects (Listing 1). This is the same script object that 
AppleScript uses, but with some notable additions, For 
instance, the first half of the object is its list of properties. The 
first property of that list sets the object’s hose class. The class 
instance sits inside the reserved noun parent. And the class 
name is preceded by tlie keyword class. 

Listing 1. A typical ASOC script object. 

script Foo 

^ BASE PROPERTIES 

property parent i class "NSOtiject" 

— OU1XET PROPERTIES 
property outFoo : rolssing value 
property inpFoo : uilssing value 

— MISCELLANEOUS I^ROPER'HES 
property pFooi'^narf” 

— ACTION HANDLER 
on doFoo_(aSi^) 

— your action code ji^oes lie re... 
end doFoo_ 

— INS'l'ANCH HANDLER 
on doConvertO 

— your fiandler ef>de goes liere„. 
end doBar 

end script 

Same praperties an the list may serve as outlets. These get 
the noun missing value as a mle. Some serve as instance 
properties. These get explicit values, which also “sets” the 
property’s liiia type. Rut unlike in an ObjC dass, the properties 
of an ASOC object are dynamically tyjyed. The same property 
may hold a string at first, an integer the next. Tills can a 
problem—properties meant to lx? outlets could be given an 
unwanted value by mistake. 

Script properties are also always public. When a script 
object gets sulxlassed, its properties can be read and altered by 
the sulxiass. An external handler can also read and alter that 
same object’s properties. On the other hand, dn ObjC class can 
choose which property can l>e public and which remains 
private to the class. 

Tlie second half of the script object is made up of 
handlers. Handlers are script routines that perform a specific 
task or SLi[>pIy a specific service. Some handlers service a 
widget action. Tliey get the widget itself as an input argument 
and tliey do not return a result. Some work as delegates, taking 
over tasks that are otherwise prcKCSsed by the base class. They 
may validate an action about to lake place or check on a data 
value being provided, Finally, some handlers serve as instance 
methods. These allow script objects to interact with one 
another. 

Again, unlike in an ObjC class, all the handlers in an ASOC 
script object are available publicly to other script objects. 

Working in the ob|ect 

All handlers in an ASOC script object open with the 
keywords on or to placed before tlieir names. They close with 
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an end keyword, again placed before iheir name.s. Nt>w most 
handlers render their input arguments as a ixiSitionai Hst (listing 
2). Each ai^ument in the list is separated by a comma; the 
whole list enclosed in parenthesis. 

Listing 2* A handler using a positional 
argument list. 

on doFooUArgU aArg2) 

— handItT code goe.s here 
end doFoo 

To invoke die handler, simply type its name and pass its 
argumenLs in die order diey appear. The snippet below passes 
an integer 2 for the first argument, a string “narf'' for the 
seccmd: 

doFQQ(2. •'narf”) 

Like properties, arguments are d}mamically typed. Their values 
can be swapped easily with nary a complaint from the 
compiler. 

doFoo(“narf", 2) 

On the other hand doing so may lead to a runtime error, 
especially if the handler expects some of its arguments to be r>f 
a sj^edfic type. 

In ObjC, an action routine ha.s the macro IB Act ion 
before its name and a colon token (/ : 0 after. It gets the 
calling widget as its main argument, with a type of id. To 
translate this routine into ASOC, replace the colon with an 
underscore Do away with the id type and the 

IBActlon imtcro. So if the ObjC action is (iBAction) 


doClick : (id) sender, its ASOC form wrtll i>e as shown in 
Listing 3. Notice that the liandler name after the end ke)wvord 
still has its underscore token. 

Listing 3- The action handler in ASOC 
form. 

□n dcjClick_(sender) 

“ action code goes Lere 
end doCliqk_ 

Delegate handlers are also translated in the same way. For 
example, if the ObjC delegate is 

(BOOL)text ShouldBeginEd11ing: (NSText 
*)textObject,its ASOC form will be as shown in listing 4. 
Now this delegate lias to reium a BOOL to die calling class. The 
equivalent type in ASOC is, of course, a Boolean: true for 
YES and false for NO. 

Listing 4. The delegate handler in ASOC 
form, 

on textShouldBeginEditing_(textObject) 
locs-l tFig 

— code goes Itere 

—^ return tlie delegate result 
return (tFlg) 

end textShouldBeginEditing_ 
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On the other hand, instance handlers need not have an 
underscore in their names, and they can have arguments 
rendered as labeled lisLs for better legibility. For example, die 
handler doRange (Listing 5) marks its arguments aBgn and 
a End widi the reserved labels from and thru. Invoking it is 
done as follows: 

doRange from 1 thru 5 

The next handler, doCopy, starts its argument list with the 
reserved word given. It assigns each argument with its own 
label, followed by a colon. Invoking this handler is then done 
as follows: 

set tCpy to doCopy given source:tSrc» destination:tDst 

Listing 5. Two examples of instance 
handlers. 

on doRange from aBgn thru aEnd 
’— hunUltr code goe.s here 
end doRange 

on doCqpy given source:aSrc. destination:aDst 
local tCpy 


— handler code goes here 


— return the handler rcsuli 

return [tCpy) 
end doCopy 

N(nv, access to an object’s instance properties is a simple 
and direct matter. To read tlie value of a given property, for 
example pFoo, place the pnifierty name after the keyword 
■ t o ". 

set tLoc to pFoo 

To assign or change a valucc place die property name after the 
keyw^ord set. 

set pFoo to tLoc 

This, however, does not work when the property is an outlet. 
Outlets are they require special handling, which will 

be discussed later on. 

It is important, of course, for handler and property names 
to Ixf unique. They must not contlict wiih any of AppleScript's 
reserved keyw^ords, whth those defined liy a scripting addition, 
or with those defined by a Cocoa class. Otherwise, the ASOC 
object w ill crash with a runtime error. 

Yet sometimes, a handler or property must use a resented 
word as a mme t>eeause die word conveys the right idea, To 
alkm^ tliis, make sure to enclose the name with vbar tokens 
(* I * , 0x7 c ), Tliese tokens tell the ASOC bridge to treat the 
name IUerall}\ Otlierwise, the bridge will use the original 
definition. So suppose the script object appropriates the 
reserved wwd 'set* as a handler name. Its handler block 
will wTitten as follows: _ 

on |setI 0 

— hanclkr code here 

end I set I 
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And dial handler will be invoked as follows: 

Iset|C) 

Note the argument list sits outside the vbar tokens. 

Working with Cocoa constructs 

Naturally, the ASOC script object will have to interact with 
other Cocoa objects. Interacting with the object follows some 
of the same rules as those for the ASOC object. Colons are 
replaced by underscores; arguments are passed as positional 
lists. On the other hand, the properties of a Cocoa object are 
nor public. These are accessed solely tlirough setters and 
getters. 

Tt> demonstrate, suppose tlie ASOC .script property oTxt 
is an outlet to an instance of NSTcxtField. To read the string 
value held by the field, invoke the getter method 
E t r 1 ng Va 1 ue () as follow.s: 

SEt tStr to strlngValiie t) of oTxt 


Here, the preposition 'of* links the call to 
stringValueO with the oTxt outlet property. We can 
invoke the .same getter this way as well: 

set tStr to oTxt's stringValueO 


This time, the outlet property is in its possessive form when it 
refers to EtringValue (). 

Invoking a Cocoa object’s setter method requires the use 
of a tell statement. For instance, this snippet displays the 
phrase '"Hello World” on the oTxt oudet property: 


set tTxt to “Hello world'' 

tell oTxtFld to setStringValtie_(tTxt) 


Note the underscore Iietween the getter’s name and the 
argument list. Thus is because the ObjC meihcxj itself is declared 
as setValue: (NSString *)aString, widi a colon 
before the argument aString. 

Now suppt:)se the ASOC script object needs an instance of 
a specific Cocoa class. This requires the use of a constructor 
method, of which there can be several in a given class. 
Consider the NSString class for example. To create an empty 
instance of the class in ObjC, the string constructor is 
invoked as follows: 

tTxt “ [NSString string]: 


In an ASOC script object, the same invocation will appear as 
follow^s: 

set tTxt to stringO of NSString of current application 

The reser\'ed phrase current application refers to the 
global application process, which loads the NSString class from 
the Foundation framework. To create an instance of NSString 
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and assign it with a specific value, like "foobar'*, the 
stringWithString constructor is invoked in ObjC as 
follows: 

tTxt “ [NSStrina stringWithStriTig:@"foobar'']: 

Here is the same invocation from the ASOC script object: 

local tTxt 

tell NSString of the current application 

set tTxt to its striiigWithString_("foobar") 
end tell 

Note the use of a tell,.,end tell block to enclose the 
invocation to stringWithString_(). Note also the local 
tTxt being declared outside the block. This is to ensure thai 
tTxt and its data remains valid after the invocaticm. 

Finally, suppose die ASOC script object needs access to a 
Cocoa constant like NSZeroPoint or NSUIntegerMax. 
Here too, it uses the reserved phrase current 
application to refer to the ri^t constant. So this statement 
reads the constant NSZeroPoint using a possessive Form: 

set tCon to current application’s NS^eroPoint 

This f)ne does the same but using a prepositional fonn. 
set tCon to K^SZeroPoint of current application 

Working with other constructs 

Finally, the ASOC script object can work witli the same 
scripring additioas and scriptahle apps that are available to a 
normal script. No special calls or liliraiies are needed to use 
these constructs. All that is required is for the addition C3r app 
to exist, and for its nouns ariLl veriis not to conflict with any part 
ol die script object 

For example, to show a standard alert dialog, use the 
display alert verb from the Standard Additions as 
follows; 

display alert ‘’Beware the Ides of Foo" 

message “CDnsider yourself watried” as infDrniatIona 1 

Make sure the above statement appears as a single line witliin 
the ASOC script object. To retrieve the properties of the front' 
most Text Wrangler document, use this tell , , .end tell 
block: 

t^ll application "TextWrangler" 
get properties of document 1 
end tell — application 'TextWrangieF' 

lliis ability to use scripting additions and scriptahle apps 
bring,s a number of benefits. First, it allows common tasks to be 
factored out into a separate addition. It removes the need to 
deal with raw AppleEvents. Also, it cuts project costs by 
encouraging code reuse. 

Building with The Bridge 

To develop Cocoa applications using the ASOC bridge, use 
version 3 2 (or newer) of the Xcode developer suite. As always, 


the latest version of the suite is available from the ADC website 
at this URL: 

http://developer.apple.com/technologies/xcode. htm! 

Access to the suite requires a valid ADC account. Instructions 
on how to create such account are also available the same site. 

The sample project featured here is available from the 
MacTech website: ftp://ftp.maGtech.com 

Starting a project 

Xcode supplies the template Cocoa-Applescript 
Application as a starling point for most ASOC projects 
(Figure 1), This template comes in two Ibrms: one for utility- 
oriented apps, with a single wlndow‘ and controller; another for 
docufnent-oricmted apps, with support for multiple windows. 
This article shall focu.s only on the first template form. 



To start an ASOC project, first chcxise New Project From 
Xcodes File menu. This brings up the New Project assistant, 
which displays its collection of lemplates. Select the template, 
hut leave the checkbox Create docunrient-based application 
clear. Click the Continue button to proceed to the next panel. 
For a project name, enter the string "Weight". For a 
project location, leave it set at the home directory. Click the 
Finish button to create the empty project, 

In the empty project are six items (Figure 2), many of 
w^hich are die same ones f<jund in a typical Ccx:oa project. For 
instance, the xcodepro j bundle serves as the central point 
for tile projeci. It keeps track of the project files and holds the 
introductions need to compile and combine those files. The 
pch file caches the precompiled header ctide, while the 
Info.plist file holds the bundle settings, and the main. m 
file defines the entry function that .starts the root application 
proces.s. Of these four items, only the Info.plist file needs 
to be updated _ 
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Figure 2. The ASOC project items. 


The next project item is [he Iproj bundle. This holds llie nili 
bundles that define the application's user interhices. It also 
holcis the localized strings needed by those interfaces. Then 
there is the source Tile 

WeightsAppDelegate . applescrlpt. It defines the 
controller class servicing the application’s sole window. It will 
be one of many source files that make up the application. 

Laying out the interface 

Locate the entiy MainMenu.nlb from the Groups and 
Files pane of the Xcode main window. Doulde-click its icon to 
{^pen the nib bundle in Interface Builder Like Xcode, Interfaee 
Builder has had a number of improvements. One nt)tablc 


change is in its widget palette (Figure 3). Previously, tliis palette 
presents its Ci)cc3a widgets as a grid of icons. Selecting an icon 
displays the object's name and short description in a separate 
panel Now, the new^ palette show'S the same objecLs as a list, 
with names and description next to each icon. 



Figure 3* The new widget palette. 
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Building the? interf:dce is still the same as beFore. Just select 
a widget From the palette and drag its icon onto the window' or 
menu. Figure 4 shows the layout of the main window^ oF our 
project Weights. Near the leFt edge are two Label wadgeLs. 
Near the top are two view widgets: a Text Field and a Popup 
Button, Below that Text Field widget is a second Popup Button, 
and below^ the latter is a second Text Field, The first Text Field 
widget is enabled, ready to accept input. The second, however, 
is disabled and read-only. Both Popup Buttons give the same 
list of choices; kilogrammes, grammes, potatds and stones (UK 
spellings). 


Weights 



Figure 4. The Weights main window. 

Connecting the widgets 

As in most Cocoa projects, interface wiclgets connect to 
ilieir respective controllers in one oF iwo ways; by outlets 


and actions, or by bindings. This article will Focus on the first 
approach due to its ease and familiarity. 

Switch to Xcode and locate the entry 
WeightsAppDelegate ,applescript from its 
Groups and Files pane. This source file defines the ASOC 
script object that serves as the window controlier. That same 
object also supplies the application's delegate handlers—bui 
w^e will skip this part for now. 

Modify the file as shown in Listing 6. Here, the ASOC 
object gets four outlet properties, all set initially to 
missing value. It also gets the action handler 
doConvert_(), with its sole argument labeled as aSre. 

Listing 6- Defining the controller. 

WeightsAppDelegate 

script WeightsAppDelegate 
~ BASE PROPEKHES 
property parent : class "NSObject" 

^ ClITU^T PROPERTIES 
property oSrcVal : missing value 
property oSrcUnt : missing value 
property oCnvVal : missing value 
property oCnvUnt : missing value 

on doCcmvert_(aSrcl 

— TO BE OEVKlOPHn 
end doConvert. 
end script 
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Save your changes and switch back to Interface Builder and 
locate the icon Weights App Delegate from the 
HainMenu, nib window. Control-click the icon to display 
its menu of outlets and actions (Figure 5). The names on that 
menu should match those declared by the source file. 
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Figure 5. Listing the outlets and actions. 


Now drag a line from the oSrcVal outlet to the first 
Text Field widget. Drag another line from the oCnvVal 
outlet to the second Text Field widget. Drag the next line 
from the oSrcUnt outlet to the first Popup Button widget 
Do the same for the oCnvUnt outlet and second Popup 
Button widget. This connects all four outlets to their 
respective widgets. 

Drag a new line from tlic first Popup Button widget to 
the action doGoovert. Repeat for the second first Text 
Field widget and for the second Popup Button widget. Leave 
the second Text Field widget alone. This connects the 
doConvert action to the three interhice widgets. Notice 
the action name appears with a colon, not an underscore. 

Save your changes and switch hack to Xcode. 
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Handling the action 

Listing 7 shows the code for the action handler 
doConvert_(). This handler begins by reading the 
value held by the outlet oSrcVal. Then it reads the 
menu items chosen from the outlets oSrcUnt and 
oCnvUnt. It passes these three values to the instance 
handler convertWeigbt. That handler returns a real 
value, which doConvert_() then sends to the outlet 
oCnvVal. 

Listing 7. The action handler code 

doConvert_ 

on d.QCqnvert_tfl$rq}_ 

local tVal, tUnt. tNew. tCnv 

— read die entered weight value 

set tVal to fioatValiieC) of nSrcVal as real 

set tOld to indexOfSelectedltemO of oSrcUnt as 

integer 
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— read the chosen weight unit 

?et tHew to iodexOfSelectedltem() of oCnvUnt as 

integer 

— perform the conversion 

set tCnv to convertWeight given weight:tVal, ^ 
oldUnit: told* newUnit: tfJew 

— display the conversion result 

tell oCnvVal to setFloatValue_(tGnv as real) 
end doConvert_ 

Note how the handler expHciily recasts the values it reads 
and writes to the outlets. This ensures that the local 
variables and the outlets get the right data types. 

Implementing the other handlers 

Listing 8 shows the code for the first instance handler 
convertWelght. It takes three input arguments: the 
original weight value, the original weight unit, and the 
new weight unit. Note the handler presents its arguments 
as a labeled list. 

Listing 8, The main conversion 
handler. 

cnnvertWeight 

to convertWeight given welghttaVal* oldUnittaOld. 
newUnit;aNew 

local tCnv 

— identify the original weight unit 
If (aOld = 0) then 

— weight: unit:kilGgrammes 

set tCnv to convertKilogramifles for aVal Into 

aNew 

else if (aOld * 1) then 


—- weig ht: u n it rgra mmes 

set tCnv to convertGrammes for aVal into aNew 
else if (aOld = 2) then 
— we jght:unii: pounds 

set tCnv to convertFounds for aVal into aNew 
else if (aOld = 3) then 
“ w e igli t: u n it; s tone s 

set tCnv to convertStones for aVal into aNew 
else 

set tCnv to aVal 
end if —(aOld ^ 0) 

— return the conversion result 
return (tCnv) 

end convertWeight 

The convertWeight handler begins by identifying the 
original weight unit. It then invokes the correct handler to 
do the conversion. For instance, if the original weight is in 
kilogrammes, convertWeight invokes the handler 
convertKilogramme s. 

Listing 9 shows the code for the 
convertKilogrammes handler. It takes two input 
arguments: the weight value and the new weight unit. Here 
too, the handler presents its arguments as a labeled list. 
The handler starts by checking the new weight unit. If the 
unit is the same as the original, the handler returns the 
weight value unchanged. Otherwise, it multiplies the value 
with the right conversion factor. 

Listing 9. Converting kilogramme weight values. 
convertKilogrammes 

to convertKilogrammes for aVal into aUnt 
local tCnv 

— identify the new weight unit 
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if (airtit = D) thsE 

— weight: iinil; kilogrammes 

set tCnv to aVal 

else if (aUtit = 1] then 

— weight-unitigrammes 

set tCriv to {a?al ‘ 1000) 
else if (aUnt = 2) then 

— weight: utiiti pounds 

set tCnv to taVal * 2.20462262185) 
else if (aUnt = 3) then 

— weighi:unit:Stones 

set tCnv to (aVal * 0.157473044418) 
else 

set tCnv to -1 
end if —(aOld = 0) 

— return the conversion result 
return {tCnv) 
end convertKllograimnes 

Naturally, conversion handlers exist for the three other 
weight units. To see their code, consult your copy of the 
demo project. 

Testing the demo project is quite straightforward. First, 
choose Build form the Xcode Build menu. Once Xcode 
finished compiling the Weights project, click its Run menu 
and choose Run. The Weights application should launch 
and display its single window. Into the first Text Field 
widget, enter a value of 10. Leave ihe first Popup Button 
widget at its default setting of kilogrammes. Click the 
.second Popup Button widget and choose pounds as the 


new unit. The second Text Field widget should display a 
value of 22.046 pounds. 

Wrapping Up 

MacOS X 10.6 gave AppleScript a new lease in life in 
the form of a bridge framework. For with this framework, 
applications written in AppleScript gain full access to most, 
if not all, Cocoa objects. They get to run natively, while still 
using the same constructs as normal AppleScript scripts. 

In this article, we studied how the AppleScript script 
object works within a Cocoa project. We learned how the 
object declares its outlets and actions, and how it interacts 
with scripting additions and .scriptable apps. Next, we used 
the latest version of Xcode to build a basic AppleScript 
application and linked it to the new bridge framework. We 
laid out the application's window view and defined its 
controller object. 

Thus ends our first foray into the world of 
AppieScriptObjC. Stay tuned as we look at other topics like 
bindings, debugging, and threading. 

Until then, I bid you all good day. 
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CoNOJLTANT Cowboy 

by Ryan Wilcox 


Looking Back on 
2010 


Retrospective for Your 
Consultancy 


Thinking about what went weii, 
what didn’t go so weii, and places 
^ou can improve _ 


Introduction 

Initially this article was going to be about marketing (it’s 
not as sleazy as it sounds,., really). However, my own diem 
work has prevented me from getting very far along in the 
writing process. 

Instead, given that 2010 is over bin still reasonably dose 
in memory, it’s time to talk about a practice Tvc had (cjff and 
on) since starting my consultancy business: yearly 
retrospectives. 

There are plenty was ways to do a retrospective (listing 
out events by month, or by listing out critical events, for 
example). If we take a l^it of focus, however, we can extract 
useful information. 

A yearly retrospective is going to be more involved than 
tme you have every few^ weeks (if youVe started that 
practice), although they follow^ a pattern from Agile software 
development. 

To get your creative juices Ilowing, Vm going to include 
sections of my own retrospective in appropriate parts of this 
article, as an example of what 1 mean. 

What is a Retrospective, and 
Questions for your own 
Retrospective 

In Agile software development, at the end of an iteration 
(on my current team, every 2 weeks), we ask ourselves: 

* What went well 

* What didn’t go so well 

* What we could do better. 


A yearly retrospective can follow the same basic format, 
with the questions tweaked a little bit. The idea here is to get 
you thinking about the last year, and planning for the year 
ahead. If you save your yearly retrospectives you 11 have a 
history of the business, year by year, for future reference. 

If you can identity what went wrong last year you can 
avoid those problems in the coming yean 

The questions I like for my yearly retrospectives are: 

* What went well? 

* What didn't go so wellF 

* What can I do hetterF 

* How can I improveF 

* What are my goals for the new yearF 

What Went WeU in 2010? 

List some of your deci.sions that went really well. Maybe 
being more active in the local chamber of commerce brought 
in a lot of work. Did you go to a conference that was 
patticularly interesting? Meet your sales goals? 

Make sure to list persona! things too: "'Got into the 
practice of playing with my kids from 3-4 PM after schoor, for 
example. Places where you used your freedom as a consultant 
to do what pow wanted to do. 

Lf any particular business eiTort was met with great 
success, put it on this list 

[f you set goals for 2010, how did you do towards 
meeting those goals? Did you meet or exceed your estimated 
tax number, for example? 

Think about the things that went better last year than they 
did the year before, if you’ve been in business that long. 1 
know in 2009 1 had some money troubles, but 2010 was a 
good year, financially. 

Did you do something last year that surprised yourself? 
Pay off a credit card bill early, cold call someone that w^ould 
turn out to be a big client, do something technically amazing? 
These are important to write down too. 

In my own retrospective I wrote: 

This year I discovered a few new techniques for keeping 
clients informed. For exampie, / have one main client 
and a few smaller clients on the side. Around November 
I started sending them an ejnail when I was done with 
their project for the day. The email contains three 
sections: 

1. A 'Today F section, describing what I did 

2. A 'Next Time, / shall'' section, describing what I 
plan to do next time / sit down at the project 

3. A "Bigger picture, how's it going*', where I give the 
status of a project as a whole. 

Th is seems to work really weii for me. 

I also got lime to think about my business as a business, 
and the Consultant Cowboy series is a result of some of that 
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work. Being able to think about business directions, goals, and 
plans was important for me this year (as 2009 was not so good 
that way). 

What didn’t go so well? 

List some of the events, in 2010, that weren’t so great. For 
example, was money tighter than you would like? (Or did you 
run out completely?) That would certainly be something that 
didn't go so well! 

Maybe your projects were very stressful, or you had a 
hard time juggling all your simultaneous clients or 
responsibilities. Did you have to sacrifice on your personal 
goals one too many times, for the sake of a paycheck? 

Maybe client work had you traveling too much, or not 
enough. 

In my own retrospective, 1 wrote: 

/ certainly had some things not go well in 2010.1 was 
on the road every other week from January until 
October. This meant that I was traveling every weekend 
(coming back, or leaving). This really added to my 
stress lem( and also cut into time I could have been 
doing other things (work relaxing, helping around the 
house). 

What can I do better? 

Think about what you could do better in the coming yean 
Maybe this relates to your “What didn’t go so well'’ items, 
maybe they are separate. I find there's a fair bit of overlap 
between this categor}' and the previous one, but not always. 

For example, the travel situation I mentioned in my “What 
didn’t go so well"? That .situation resolved itself by mid 
October, so there's nothing more for me to do. I certainly 
don’t want to ever do that again, but the situation improved 
itself. 

If you’re just starting off, maybe what you could do better 
is find more clients, or get your name out there. 

Maybe you want to make more time for self-improvement: 
learn a new programming language, or get better at shell 
script, or go to more conferences. 

in my own retrospective, 1 wrote: 

/ want to do better is have a better work/life balance. For 
example, 1 spent too many nights falling asleep, laptop 
open to some code. This is not good at all (one of these 
days fm going to drop the laptop in my sleep). 

How Can I improve? 

There's a lot to be said abtiut striving for continuous 
improvement, making sure y^)u are improving the services you 
can offer to clienLs, and their experiences with you. Now is the 
time to t hink of are as where you business can improve, 
particularly in three areas: 

1. How can T improve my technical knowledge? 

2. How can 1 improve the quality of my work? 

3. How can I improve how 1 solve customer problems? 


4. How can 1 improve how I work relative to my 
competition? 

5. How can I improve how profitable 1 am? 

These are mostly self-explanatory, but some of them 
deserve more digging. 

For example, the question of “How can I improve the 
quality of my work?’* I hate to revert back to business-speak, 
but this is the most familiar way to ask the question. 1 also 
think there’s excellent room for personal interpretation here, 
so you may ^kc this question in different direction - that’s 
great! 

Improving the quality of your work might mean learning 
and exploring tools you’ve been hearing about, but have been 
ignoring. (For example, using the Git or Mercurial source 
control system to control system administrative tasks). Maybe 
it’s taking more time to think about your code, before just 
typing it, or do more testing. 

in my own retrospective I wrote: 

/ need to spend more time building larger portfolio 
pieces. So much of my tvork is hidden behind firewalls 
or for private clients. / need to UK}rk more on personal 
projects that / can sboiv the world, and take the 
opportunity to learn the latest versions of various 
frameu^orks I use.... especially when clients have frozen 
their application to being 1-2 versions behind the latest 
framework version. 

Ant^ther interesting question, with more interpretations 
than you might think, is “How can I improve how profitable I 
am?”. This last question isn't all just about the money. For 
example, “profit" might be taking a cut in client work, but 
taking Fridays off. Or spending more time of the day doing 
things that are important to you. Maybe “prcjfilable to you,” 
this year, means, “Money in the savings account”. 

Whatever profitable means, what are the steps you can 
take to make sure that happens? 

On the “Money in the savings account" perspective, there 
are a number of areas tn look at for possible improvemeni. For 
example, how long does it take you to put an invoice together 
for a client.^ It used to take me all morning, but now it takes 
me about 3 minutes (because Fm now using better tools)! 
Finding time waste and eliminating it is probably the best 
thing a consultant can do on this front: find hours in your day 
that are unbillable, and fix it so they can become billable. 

More profitable might also mean changing the type of 
projects you take on, or changing your pricing/billing strategy 
so you have less projects where the money falls through at the 
end, or the project takes twice as much effort as the budget. 
(A later Consultant Cowboy article will talk about both of 
diese situations.) 

What are my goals for the new year? 

Think about your goals for the new year. It's tax time 
soon, so youTe going to have to estimate how much money 
you’ll make in 2011 (at least in the US, where small businesses 
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have to pay quarterly taxes). So a financial goal is an obvious 
choice. Maybe you have other goals: put aside a certain 
amount of money into your savings account for a rainy day is 
also another excellent goal. 

Maybe your goal is to work less and iiiake the same 
amount of money, or do some lifestyle design: spend a month 
working from a beach house in Hawaii, perhaps. 

These goals should influence your actions for the coming 
year. For example, if you want to work from Hawaii, then you 
should pass up that new client that wanLs you onsite 40 hours 
a week. 

Your Goals can (and should!) somewhat be fed from the 
“What I could do better” section. Think of the goals as the 
action items, the steps to solve, the items on the “What 1 could 
do better” list. 

If youTe looking at becoming a consultant, you can have 
goals here too. For example, a good goal for you might be 
finding 2 part time clients for 2011, or bringing in $5,000 
moonlighting. 

Do you have any technical goals for the new year? For 
example, learn more Javascript, or get your Cisco CCNA 
certificate. 

Did you have a goal for last year that you want to carry 
over tlus year? For example, if your goal last year was to make 
3100,000 in sales, but you only had 380,000 in sales, then 
maybe it’s a fine goal for 2011. 

In my own retrospective, I wrote: 


1 need to publish some Ruby Gems and Python Packages 
fve been thinking about packaging and haven't had 
time to publish 

Conclusion 

There are two purposes for these questions. The first is 
simply to write them down, to have a history of your business. 
The second is to have a plan for the new year. The plan will, 
more than likely, look silty and unrealistic (alJ at the same 
lime!) come June, but the act of planning will be valuable. 

Likewise, if you know: “Hey, I want to make more money 
diis year”, the sooner you start on your plaas for diat the 
better. 

Your answei^ to the retrospective questions contain a 
treasure trove of information; stuff that went well you want to 
continue to repeat, for example. 

Until next time, see you, consultant cowboy 

_ ^ 

About The Author 

Ryaa IMfcox has been toasiMig on Us am for the hst 8 yearf, through 
ups and downs in Us boaness. In 2009 he started tlmdw^ <Aoot best 
pradkes for badness, in ad^tion to ids nomnd thinkiag about 
pragraauaiag. He am be found at: bttp://www.v^xd.antt. Have 
thou^ts or wmt to giVe feeAadc on lUs artide? rvi^x@w3ioxdMm 


SeU More, Pay Less In Fees 


The Leading E-Commerce Platform for Mac Software 



Cocoa/phpFOB Support 
Elegant Order Pages 
Aquatic Prime Support 
Customizable in-app store 

Experience our phenomenal 
customer service and learn why 
so many Mac firms have switched 
over to FastSpring. 

FastSpring 

EXPEREENCE E'COMMERCE 2.0 








Hear. My World. 


Hear. My Life. 

Hear. I am 


The soundtrack to your life is your own 


Listen, perform or experience it your way 
with Sennheiser at CM 12010 


DISCOVER • SHARE • VOTE 

YOU COULD WIN* AT 

Hear I am.com 

*1M0 PURCHASE NECESSARY 




MUSK MARATHON a, FILM FESTIVAL 



















Usmg Nrriap for Security 


By Mihalis Tsoukalos 




Introduction 

A few years ago, I was working as a LfNIX system 
administrator. It w^as important for me to be able to check the 
open ports of my servers in order to see if they were as secure 
as needed. This was the first time tliat 1 heard about nmap and 
1 should tell you that t have been continuously using nmap 
since then! In this article, you will learn more things alx>ut 
Nmap, 

Nmap is an ojxim source tool created by Gordon Fyodor 
Lyon that supports port scanning, 0 |x:rating system detection, 
version detection and more. Nmap is also very famtju.s, as it has 
even Ix^en used in the ""Matrix Reloaded” movie, 

Nmap can be useful to network administrators as well as 
advanced users and hackers. There are versions of nmap than 
run in most LJNIX systems including Mac OS X. 

Warning: While trying the techniques presented in this 
article, you can easily create a temporary DoS (Denial of 
Service) on a network or a computer. You have been warned! 

What is Nmap? 

Nmap stands for Network Mapper and supports more than 
15 scanning techniques. Nmap can be used for securing your 
own network—this is not hacking!—but nmap can be used for 
hacking as well, 

As you can see from the next output. I am running nmap 
version 5.21 and I am using the MacPorts version of nmap, 

]iitsouk$ /opt/local/bln/nraap -version 
Mmap version 3.21 ( http://nTDap.org ) 

Note: When scanning hosts that are not on your local 
netM^ork, keep in mind that intermediate devices such as 
routers, firewalls and proxy servers can mislead nmap and may 
provide incorrect inlbrmation. 

Simple Nmap usages 

The most useful and usual nmap scans are the following: 

TCP SYN scan (nmap -sS) 

The SYN scan never creates a session and never appears 
to a log file because the TCP connection is never initialized. 


But, it requires privileged access (it has to run as root or 
administrator user). What it gives you is information about the 
open, closed or filtered ports, which is a good start when trying 
to evaluate the security staais of a computer or a network. 

You should keep in mind that although the TCP SYN scan 
doe.s not leave any log info liy itself modem firewalls and 
capture programs can detect TCP SYN scans. 

TCP connectO scan (nmap -sT) 

The TCP connectO scan is useful when you do not have 
root access to a computer. But, it leaves traces in the log file as 
it actually creates an open session to die remote computer. 

Ping scan (nmap -sP) 

This is a very quick sam as it only sends an ICMP Echo 
Request and accepts an ICMP Echo Reply. The Ping scanning is 
a very usual technique for ,sc:anning networks and it is not very 
noticeable especially in busy networks. It does not require 
special privileges in order to run it hui it does not return much 
inronnation and it cannot be used in combination with other 
types of scans. You should mainly use it to find the active 
machines on a network, 

UDP scan (nmap -sU) 

This is a very useful scanning method because it uses the 
UDP protcKol which is nowadays veiy popular and used by 
many services (such as audio chat software). There is no other 
way to track open UDP poits using nmap, The UDP scan does 
ncji create too much traffic and works well on machines 
running Microsoft operating systems but it needs root privileges 
to am. The following output is from scanning my own iMac: 

$ sudo nmap -sU localhost 
Password: 

Starting Nmap 5.21 ( http;//ntnap.org ) at 2010-12-21 20: 14 

ggrp 

Hmap scan report for localhost £127.0,0.1) 

Host is up (0,000053a latency). 

Not shown: 997 closed ports 
PORT STATE SERVICE 

123/udp open ntp 
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2222/udp openjfiltered msantipiraty 
5353/udp open]filtered ^eroconf 

Nitiap done: I TP address (1 host up) scanned in 37.7B seconds 

You on also see another example of a U1)P scan at the 
Scanning a Cisco router secticjn of this article. 

Using Nmap 

Yhe following is an example of using nmap against the 
scanme.imectire.Qrg machine that is made by the nmap creator 
for testing nmap. This means that it is not illegal to run nmap 
against scanmeJnsecure.org as your target. 

user$ fiudo ntnap -A -T4 scanme.insecure.org 

Starting Nmap 5.21 ( http://runap.org ) at 2010-12-03 21:44 
EXT 

sendto in £end_ip_packet: sendtciC4. packet* 44, 0* 
64.13.134.52, 16) => No route to host 

Offending packet: TCP 192*163.1.10:46171 > 64.13.134.52:106 
S ttl=46 id=36525 iplGn=11264 3eq“199168B463 wlti=3072 <mss 

1460> 

Sleeping 15 seconds then retrying 

Nmap scan report for scanme.insecure.org [64.13,134.52) 

Host is up (0.00064s latency]* 

rDNS record for 64.13,134*52: scanme.nmap.org 

Not shown: 996 filtered ports 

FORT STATE SERVICE VERSION 

22/tcp open ssh? 

I ssh'hostkey: 1024 

60:ac:4d:51:bl:cd:85:D9;12:16:g2:76:ld:5d:2?;6e (DSA) 

|_2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c;96:7e:28:dc:dd (RSA) 
25/tcp closed smtp 
80/tcp open http? 

113/tcp closed auth 

OS fingerprint not ideal because: Didn't receive DPP 
response. Please try again with -sSU 

No OS matches for host 

TRACEROHTE (using port 113/tcp) 

HOP RTT ADDRESS 

1 2.05 ms 192*168*1*1 

2 2.05 ms 192*168*1*1 

3 2.05 ms 192*168,1*1 

4 2.06 ms 192*168.1.1 

[output removed for brevity] 

28 1*78 ms 192.168.1.1 

29 1*78 ms 192.168.1,1 

30 1,77 ms 192,168.1.1 

OS and Service detection performed* Please report any 
incorrect results at http://nmap.org/subiiiit/ , 

Nmap done: 1 IP address (1 host up) scanned in 149.16 

seconds 

UBer$ 

The Nmap aiguments used in this example are -A which 
enables operating system and version deteciion (know as 
TCP/IP fingerprinting, script scanning, and traceroute and -T4 
for faster execution* Please note that if you run the same 
command without root privileges (without the sudo command 
or without being root), you will get a different and less detailed 
output, lire -T option is useful for slowing down the scans in 
order to avoid creating too much traffic and slow down or flocxi 


a network or a host. The allowed values of the -T option are 0- 
5. A smaller number sets up a slower scan. 

Another useful option is the -sV that tells nmap to test for 
application type and version for all ports found to be open. The 
following is the output for my Mac: 

S audo nmap -n -aV 192.168.1.1 

Starting Hmap 5.21 ( http://nmap*prg 1 at 

2010-12-11 1S:I9 EET 

Nmap scan report for 192.168.1.1 

Host is up (0.0034s latency). 

Not shown: 997 closed ports 
PORT STATE SERVICE VERSION 

BO/tcp open tcpwrapped 
B08i/tcp open blackice-lcecap? 

8085/tcp open tcpwrapped 
1 service unrecognized despite returning 
data. If you know the servlce/version. 
please submit the following fingerprint at 
http://ww.insecure.org/cgi-bin/servicefp- 
submit.cgi : 

SF-Forte08U 

TCP:V=5,Z1%I“7%D“1 2 /1l%Time=4D03A49 4%P-i386- 
apple-darwlnlO.4.0 

EF:%r(NULL,9,nxff\xfd\Kl8\xff\xfb\x01\7iff\x 
fb\x03'') %r (GetRequest, 9, ” \xff \ 
SF:xfd\xia\xff\xfb\s01\xff\xfb\x03-)%r(Four0 
hFourReqnest.9."\xff\xfd\xl8\x 
SF:ff\xfb\xQl\xff\xfb\x03"}: 

MAC Address: 00:ID:19:SC:EB:27 (Arcadyan 
Technology) 

Service detection performed. Please report 
any incorrect results at 
http://nmap,org/submlt/ , 

Nmap done: 1 IP address [1 host up) scanned 
in 11*42 seconds 

The -n option tells nmap not to try DNS resolution. 

The last example presented in this part of the article is a 
scan on my network printer, an HP OfficeJet 8500 with an 
Ethernet card. 

$ sudo nmap -0 192.168,1,25 

Starting Nmap 5*21 t http://ninap.org ) at 201O"12'll 18:40 
EET 

Nmap scan report for OJ850O (192.168.1,25) 

Host is up [0.00077s latency). 

Hot shown: 986 closed ports 


FORT 

STATE 

SERVICE 

30/tcp 

open 

http 

13g/tcp 

open 

netbioa■san 

443/tcp 

open 

https 

445 / tcp 

open 

raicrosoft-ds 

515/tcp 

open 

printer 

6839/tcp 

open 

unknown 

7435/tcp 

open 

unknown 

9100/tcp 

open 

jetdirect 

9101/tcp 

open 

jetdirect 

9102/tcp 

open 

jetdirect 

9110/tcp 

open 

unknown 

9220/tcp 

open 

unknown 

9290/tcp 

open 

unknown 

9500/tcp 

open 

unknown 


MAC Address: 00:26:55:6F:8D:A7 (Hewlett Packard) 

Device type: printer 

Running: HP embedded 

OS details: HP Photosmart printer 

Network Distance: 1 hop 
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OS detection performed h Please report any incorrect results 
at http:y/nmap-org/submit/ . 

Itaap doriE: 1 IP address (1 host up) scanned in 4.00 seconds 

Not all guesses are correct (it is not a Photosmart printer) 
but Nmap found out that it is an HP printer that tuns HP 
embedded and has a web server running (ports 80 and 443 are 
open). The funny thing is that because of the nniap scanning, 
the printer printed an almost empty page with the text “GET / 
HTTP/TO” in the upper left corner! 

Advanced Nmap usage 

Scanning Multiple Hosts 

Imagine that you are in a big company with plenty of hosts 
and you want to see which hosts are up. Also, suppose that 
your company uses the 192T68.x.y pool of IP address. The 
most versatile way to ping scan all the hosts is by using the 
following command: 

$ nmap -sP 192.168.0.0/16 

The following is the c3Utpui: 

Starting Nmap 5.21 ( http://iimap.org ) at 2010'12’11 16:30 
EET 

Nmap scan report for 192.168.KI 
Host la up (0.0067s latency), 

Nmap scan report for 192.168.1,10 
Host is up (0.0012s latency). 

Nmap done; 65536 IP addresses (2 hosts up) scanned in 
2574.11 seconds 


This scan took more than 30 minutes but do not forge! that 
it scanned 65536 IP addresses! 

You can even scan multiple hosts by providing nmap a 
range of IP addresses as in the following example: 

$ nmap -sP 192.168.1.1-200 

Or by using die syntax shown in the following example to 
scan from 192.168.1.* through 192.168.50.*: 

$ nmap -sP 192.168.1-50.* 

Tip: while nmap is running ycju can press the “if* key to 
increase the verbosity of the output. In the following example 1 
pressed the “v** key 4 times: 

$ nmap -aP 192,168.0.0/16 

Starting Nmap 5.21 ( http://miiap.org } at 2010-12-11 16:26 
EET 

Verboaity Increased to 1, 

Verbosity Increased to 2, 

Verbosity Increased to 3. 

Verbosity Increased to 4. 

The capital V will decrease the verliosity level. Pressing 
“Enter” will display the current stahis that is very handy when 
the .scanning process takes too much time. 
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You can also use a text file in order to specify the hosts or 
the ner^^orks that you want to include in your nmap scan. The 
following example will use the contents of a file named 
scanlhem as nmap's input to perform a Ping scan: 

$ nmap -sP -iL scanThem 

Excluding hosts (nmap -exclude) 

The easiest way to exclude hosts is by using the —delude 
option. For example the full command to exclude the 
192,168,1.1 and 192.168.1.5 IF addresses from your scanning of 
the 192,168.0,0/20 subnet is the following: 

$ nmap -sP 192,168.0.0/20 -exclude 192,168.1.1,192*163,1,5 

Nmap scan report for 192.168.1.0 [host down] 

Nn^ap scan report for 192.168.1.2 [host down] 

Ntciap scan report for 192.16S. 1.4 [host dowo] 

Nmap scan report for 192,168.1.5 [host down] 

if you have many IP addresses that you want to exclude 
you can put them in a text file (in this example it is called 
exdudedJPs) and use the — exciude/ik option as follows: 

$ nmap -sP 192,168,0.0/16 -eKcludefile excIuded^IPs 

The exclude optit)n (using either — exclude or — 
excludejile) has higher priority than the include option. 
Practically this means that in case of conflict, the exclude 
option wins. This does make logical sense as it is better to 
mistakenly exclude a host than include it and create a DoS or 
slow it down. 

Randomize hosts (nmap —randomize- 
hosts) 

This is a very clever technitjue! Imaging scanning host 
10.10.10.1, then 10.10.10.2, then 10,10,10,3, etc.. Does it look 
suspicious for someone watching the network traffic? Of course 
it does! Using the —randomize-bosts option, nmap rearranges 
the group of hosts in its scan, makes it mc^re difficult to detect 
a pattern and therefore getting caught! You may ask why do 
you need this if you only use nmaf} for good purposes. The 
answer is that there is a chance that you have an intruder (that 
you want to find) on your own nemork that also watches the 
network traffic or, that you want to scan a hostile network that 
attacks your hosts. 

Nmap output options 

Nmap can save its output in various formats. They are the 

following: _ 

nmap -oN <logfile name>. Normal format is for easy 
reading and looks nice when printed. 

nmap -oG <logfiJe name>. Grepable format makes it 
easy to locate information in the nmap output. It major 
advantage is that all output for a single host is on a single file. 
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ft ^ nmap import t 



Figure 1: The Nmap XML format rendered in Safari 

nmap -oX <logfile fiame>. XML format is best suited 
when you want to display the nmap output as an HTML page 
or process it by other sofWare. Tlie Nmap XML document DTH 
can be found at http://www.insecure.org/nmap/data/nmap.dtd. 

Figure 1 displays die XML format tiutput using Safari. 

Scanning a Cisco router 

First of all, lei me teU you that 1 will try to scan a Cisco 
router that / administer. So, there is no illegal hacking attempt 
here. You should not Xvy to portscan an unknown router 
because there may even be legal implications. You have been 
warned! Also, note that x.y.z.w is the IP of the router that 1 hide 
from ycm - there is no point in securing a device and then 
publicly sharing its securit>^ status! 

In order to find out what kind of operating system a device 
runs or what kind of device a particular piece of equipment is, 
you can am nmap with the -O option. In the case of our router, 
the output is the following: 

$ sudo nmap -0 cisco 
Password: 


Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-11 17:35 
EET 

Nmap scan report for cisco U.y.z.v) 

Host is up (0.022e latency). 

Hot shown: 999 closed ports 
PORT STATE SERVICE 
22/tcp open ssh 
Device type: \JAP 
Running: Cisco lOS 12.)[ 

OS details: Cisco Alronet 1250 WAP (TOS 12.4) 

Network Distance: 12 hops 

OS detection performed. Please report any incorrect results 
St http://nmap.org/subi3jlt/ . 

Nmap done: 1 IP address (1 host up) scanned in 10.Ih seconds 

As you can see, it only took 10.16 seconds and the guess 
is pretty accurate! Nevertheless, you have to keep in mind that 
nmap operating s}'stem detection is not always perfectly 
accurate. 

The next command (that needs wot privileges) examines 
the Cisco router for open lIDP poas. The command and results 
are the following: 

mtaoukS sudo nmap -sU -T4 cisco 
Password: 
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Starting Nniap 5.21 ( http://nrosp,org ) at 2010-12-04 20: IS 
KET 

Warning: x.y.z,w giving up on port because retransmisnion 
cap hit (6)t 

Nmap scan report for cisco (x.y.z.w) 

Host Is up Co.019s latency). 

Not shown: 995 closed ports 
PORT STATE SERVICE 

123/udp open ntp 

L6l/udp open snrnp 

162/udp open]filtered snmptrap 
I70l/udp open[filtered L2TP 

Nmap done: 1 IP address (1 host up) scanned in 812.51 

seconds 

nitsouk$ 

In the subsequent example, I tried to perform an operating 
system detection using the following command: 

$ sudo nmap -sSU '0 cisco 

The aforementioned command combines the UDP and the 
SYN TCP scans. The output is the following: 

Nmap scan report for cisco (x.y.s.v) 

Host is up to.020s latency). 

Not shown: 1605 closed ports, 390 filtered ports 


PORT STATE SERVICE 

22/tcp open ssh 

123/udp open ntp 

161/udp open snrnp 


162/udp openjfiltered snmptrap 

1701/udp open(filtered L2TP 

Device type: router|switch|WAP 

Running (JUST GUESSING) : Cisco lOS 12.X (93%) 

Aggressive OS guesses: Cisco 2821, 6506. or 7206VXR router 
UOS 12.2) (93%), Cisco 3560G switch (lOS 12.2) (91%), Cisco 
3750 switch (lOS 12.2) (89%). Cisco Catalyst 2960 or 3600 
switch (B9%), Cisco Aironet 1250 WAP (IDS 12.4} (37%), Cisco 
Catalyst 3500 XL switch (IQS 12.0) (86%). Cisco 870 router 
or 2960 switch (lOS 12.2 * 12.4) (85%), Cisco 831 switch or 
1760 router (lOS 12.4) (85%) 

No exact OS matches for host (test cotiditiotis non-ideal), 
Network Distance: 12 hops 

OS detection performed. Please report any incorrect results 
at http:/./nitiap. org/suhnilt/ . 

Nmap done: 1 IP address (1 host up) scanned in 1656.85 
seconds 


The last scan is tlie following: 

S sudo nmap -A cisco 
Password: 

Starting Nmap 5.21 ( http://nmap.Otg ) at 2010■12-11 21:07 
EET 

Nmap scan report for cisco (x.y.z.w) 

Host is up (0.D20S latency). 

Not shown: 555 closed ports, 444 filtered ports 
PORT STATE SERVICE VERSION 

22/tcp open ssh Cisco SSH 1.25 (protocol 2,0) 

Device type: router[switch|WAP 

Running (JUST GUESSING) : Cisco lOS 12.X [93%) 

Aggressive OS guesses : Cisco 2321. 6506, or 7206VXR router 
CIOS 12.2) (93%), Cisco 3560G switch (lOS 12.2) (92%), Cisco 
3750 switch [IQS 12.2) (89%), Ciaco Catalyst 2960 or 3600 
switch (89%). Cisco Aironet 1250 WAP (lOS 12.4) (88%), Cisco 
Catalyst 3500 XL switch [lOS 12.0) (86%), Cisco 870 router 


or 2960 switch (lOS 12.2 ’ 12.4) (85%). Cisco 831 switch or 
1760 router (lOS 12.4) (85%) 

No exact OS matches for host (test conditions non-ideal). 
Network Distance: 12 hops 
Service Info: OS: IDS 

TRACEROUTE [using port 2l/tcp) 

HOP RTT ADDRESS 

1 0,85 ms 192.168,1,1 

2 ... 30 

OS and Service detection performed. Please report any 
incorrect results at http://nmap.org/submit/ . 

Nmap done: I IP address (1 host up) scanned in 779,58 
seconds 

By running all the different nmap scans on the Cisco 
router, you can see that sometimes you do not get the kind of 
infooTiation that you want with your first try. Patience and 
experimentation with nmap can pay off! 

Summary 

Nmap is a very versatile iocjI for network mapping. You can 
learn many things about your hosts and their status. You should 
experiment with nmap in order to improve your knowiedge 
and read its man page (man nmap) for learning all of its 
possible options. 

Network scanning" is ver>^ useful for both checking and 
improving your network security. It is considered a good 
practice is to periodically run nmap and check for possible 
changes to its output, 

Tlie bad guys use nmap, so^ you can too. 1 hope you will 
use it for good purposes, especially after discovering so much 
about it! 

In a upcoming article, you will learn how to examine the 
network traffic created by nmap using WireShark. 

Web Links 

Nmap site: http://nmop.Ofg/ 
hltpy/wwwJnsecure.org/ 

Nmap Netw'ork Scanning: The Official Nmap Project Guide to 
Network Discovery and Security Scanning by Gordon 
Fyodor Lyon, Nmap I^roject, 2009 
A machine for testing nmap: httpr//scanme.insecure.org/ 

The Nmap XML document DTD: 

h ftp://www. i nsecu re. org/n mo p/d ata/n m a p. dtd 
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Imaging & Patch Management 
for Mac OS X Clients using 
Windows Servers 


by Charles Edge J 


Introduction 

The modern enterprise needs to make decisions and plans 
for the management of Information Technology assets that span 
across multiple years. The recent discontinuation of the Apple 
Xserve has led many environments heavily inve.sted in tlie 
product to rethink their position. For environments needing 
officially supported pn>ducts that wish lo leverage exi.sting 
Windows infrastructures* the Enterprise Desktop Alliance (EDA) 
l^rings professionals charged with managing enterprises a 
cohesive and manageable ecosystem of products that provide 
full, end-to-end support for Mac OS X, allowing file sharing, 
patch management, policy enforcement and ticket tracking on 
an existing Windows infrastructure. 

The EDA performed a survey of more than 1,200 
respondents that included responses from professionals 
involved in IT for corporate, government and education 
environments. The survey revealed that enterprises consider the 
most imponant services that an Xserve hosts includes file 
sharing, software updates, directory services and client 
management. All of these services can he run on Mac O.S X 
Server, but can also be hosted on other platforms, inclLtding 
Microsoft Windows Server 2008. 

According to tlie survey, many environments will keep 
ilieir Xserves for up to iwtj more years. However, with the time 
it takes to get projects approved, planned and executed, it is 
likely that many environments will begin transitioning service.s 
to other Apple hardware or to other platforms soon. Therefore, 
this series of articles looks at the practical implementation and 
impact to environments previously using an Xserve that may 
look to transition to ilie Microsoft Windows platform. 

In this article we wilJ look at managing software updates in 
a scalable fashion. Mac OS X Server allows administrators to 
build images, prepared with any automations required to make 
the image functional and then to re-image client computers 
with that image. Mac OS X Server also allows for caching 
softw^are updates that are available through the Software Update 
System Preference pane so that administrators can control 


which patches are deployed to client computers and so that 
Mac OS X clients do not saturate an environment's external 
bandwidth while downloading these patches. 

There are a number of options available to enterprises 
looking to transition these services to oilier platforms. Given 
that many already have entrenched infrastructures based on the 
Microsoft Windows platform, this aitide will look at using two 
solutions, Absolute Manage and ExtremeZ-IP together in order 
to deploy software update services, patch management and full 
operating system upgrades to clients. 

We ll also go beyond what the Xserve could do and review 
what else Absolute Manage and ExtremeZ-IP can bring to the 
enteq^rise, with features such as clustering, 3^^ party softw^are 
patch management, change control, license management, 
imaging in place and security options that go far beyond w^hat 
is otherwise available. Additionally the added support for 
managing patches and software updates lor Microsoft Windows 
clients allow's for a more centralized environment wdiere both 
platlbrjiis can be managed within a single softw^are package. 

Configuring Absolute Manage 

ExtremeZ-lP is an AFP file serv'er that runs on Window^s 
Servers. Absolute Manage is a software distribution server tliat 
alk)ws environments to push software, patches, settings and 
even operating systems to client ccjinputers. They are bodi 
“customer installalde” products, meaning that enterprises can 
install the software themselves, leveraging Absolute and 
Grouplogic to support the deployments, respectively, 
Professional services are available from both entities and 
respective resellers, but many environments with sea.saned IT 
professionals will likely not need assistance given how easy to 
setup and use that both solutions are, ExtremeZ-IP and 
Absolute Manage can be downloaded from 
http://www.groupbgic.com/eztriai and 

http://absolute,com/ert/requestinfo.aspx respectively. 

In this section of the article we will look at performing a 
basic installation of ExtremeZ-IP 7.1 and Absolute Manage 
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5.3.1. The Absolute Manage solution is comprised of a few 
tools. Each has a specific purpose and can be used on different 
systems. These include the following (each of which can be run 
on either Mac OS X or Microsoft Windows): 

Absolute Manage Server: The ser\"er database and 
services that is the core of Absolute Manage, providing 
management of Mac OS X and Windows. 

Absolute Manage Admin: The tool used to configure and 
administer Absolute Manage Server, which can be used in much 
the same way that System Image Utility was used in terms of 
building automations and Apple Remote Desktop in terms of 
sending command sets to client systems. However, Absolute 
Manage Admin has many more features geared towards the full 
llfec>'cle management of devices. 

Absolute Manage Agent: The agent that runs on a Mac 
OS X computer for remotely managing the client, similar to the 
Software Update System Preference pane, which makes use of 
the softwareupdate command. 

Absolute MDM Server: A server to manage iOS (iPhone, 
iPcxl Touch and iPad), which has acts as a vehicle to enforce 
options from the iPhone Configuration Utility over the air. 
Absolute MDM Server extends beyond initial deployment of 
iOS-based devices and into the full lifecycle of the devices using 
MDM. 



Absolute Manage InstallEase: A toed for creating 
packages and disk images, similar to PackageMaker, used 
heavily with System Image Utility workflows in a Mac OS X 
Server environment. 

A few things to take into consideration w\th regards to 
Absolute Manage environments before starting to install 

components on servers^_ 

Absolute Manage Admin can be run on Mac OS X or 
Windows, according to which platform you are managing and 
remotely controlling. 


In order to deploy the Absolute Manage Agent for Mac OS 
X clients you will need a Mac OS X computer running Absolute 
Manage Admin. 

When u.sing Absolute Manage Admin to push out Absolute 
Manage Agents, the packages will need an accompanying 
exported certificate file for Absolute Manage Server. Therefore, 
keeping the .pern file on that host (e.g. - in an encrypted disk 
image) will help to streamline the process for agent 
deployment. 

InstaDMG, System Image Utility (included with the Mac OS 
X Server Admin Tools), DeployStudio or another tool will be 
needed to build system images for in place operating system 
upgrades and for bare metal imaging. 

Absolute Manage will need all Mac OS X clients to be 
running SSH to install tlie Absolute Manage Agent automatically 
or have the Absolute Manage Agent installed on the system 
image in order to be managed by the server. SSH or the 
Absolute Manage Agent can be configured at Installation time 
or on an image that is pushed out by one of the many imaging 
suites available to Mac OS X (e.g, - DeployStudio, NetKestore 
on Mac OS X Server, standard asr-based unaging, etc). If using 
SSH to push the Agent to clients, SSH can be disabled post¬ 
installation. We will explore installing the Agent further in the 
Building An Image section of tltis article. 

To get started with the installation, first download the 
in.stailers and then run them bc^th on the host that will be 
running the respective services. The installers are very basic and 
at his point should be fine with the default settings for each 
step. Once installed, go to the Windows Event Viewer and 
verify that there w^ere no problems encountered during the 
installation. 

Many environments that are new to patch management will 
have existing imaging solutions in place. Taking the imaging 
environment and making it more scalable can be done using 
ExtremeZ-lP, often leaving your old infrastructure in place as 
well. 

Building a Secure and Scalable Location 
for Hosting Images and Payloads 

Mac OS X clients natively communicate via Apple Filing 
Protocol (AFP) when transferring files to and from file servers. 
Extreme2-IP provides administrators with a number of options 
geared towards scalability tliat are not available with Mac OS X- 
based afp file ser\/ers, such as clustering. The stable, secure and 
.scalable infrastructure that Exu-emeZ-IP brings allows for a 
more streamlined imaging environment. 

When imaging, one of the most important aspects to 
consider is the heavy load tliat seiv^ers are put under when 
transferring the image of an operating system. ExtremeZ-IP can 
be used to serve up packages and images using AppleShare 
Filing Protocol (AFP). Most Apple imaging products that 
leverage a network connection (e.g, - NetRestore in Mac OS X 
Server and DeployStudio) are built on Apple Software Restore, 
usually accessed using the asr command. The asr command 
images a source, w^hich can be a disk image on a FireWire 
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drive, HTTP server, asr server instance or an afp server to a 
target, which is usually a local volume. 

A system boot drive cannot be imaged with asr while k Ls 
running. Therefore, during bare metal imaging Mac OS X is 
usually booted into a NetBoot environment. NetBoot i.s a way 
to boot a computer to a network volume rather than a local 
volume. Once booted to a network volume, images are then 
copied to the internal hard drive using asr. Once ExtremeZ-IP 
is installed and running on a Windows server, creating a share 
to host the image is done in ExtremeZdP Administrator. 

To create a share, open ExtremeZ-lP Administrator and 
click on the Volumes button. From the \bkimes screen click on 
the Create... button. Using the Browse for Folder screen, locate 
a folder tliat is appropriate (direct attached storage is supported 
although re-shares of SMB and DFS are not supported, although 
ExtremeZ-IP's DFS feature can refer to other shares) on the 
ExtremeZ-IP seiv^er and click on die OK button. Once the 
directory has been shared, the volume will appear as well as the 
path that was previously provided. Here, a number of settings 
can be a.ssigned (see Figure 2); however when ho.sting .system 
images it is best to leave the settings as the default settings and 
in some cases (according to the imaging solution being used), 
guest acceas needs to lie allowed to the volume. For example, 
this is helpful when not authenticating users with asr 
commands. 
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Figure 2 Xreatin 9 a Share in EKtremeZ-IP 


Once die Absolute Manage Server has been installed it is 
time to move on to customizing tlie Absolute Manage 
in.stallation. 

Administering Absolute Manage 

The first step to customizing an Absolute Manage Server is 
to use Absolute Manage Admin to connect to the sender. When 
using a Windows Server, click on the Start menu and select 
Absolute Manage Admin. When using a server hosted by Mac 
OS X, opening the Absolute Manage Admin application that 
comes with the server, agent and MDM server does this. 
Provided that no settings were customized during installation. 


the default settings will audienticate to the server. The Alisolute 
Manage Admin application does not need to be run on a server. 
In fact, in cross-platform environments it will be necessary to 
run Absolute Manage Admin on both a Mac 05 X and a 
Windows client in order to push out clients for each respective 
platform. 

As mentioned, a certificate i.s needed in order to push out 
agents. To export a certificate file, simply open the Absolute 
Manage Admin tool and then, using the Window menu, select 
Server Center, in the sidebar on the left side of the Server 
Center, locate the Server Settings icon and then under the 
General tab, click on Save Certificate. Certificates are exported 
into standard .pent files and can then be copied between 
servers and used as needed. Certificates should be kept secure 
(e.g. - in an encrypted disk image) and will l>e needed when 
deploying agents. 



Once the certificate has been exported, groups will be 
needed for systems to be managed in an object-oriented fa.shion 
(rather than one at a time). There are primary t^^es of 
groups: conipLtter groups and smart groups. Computer groups 
are static groups of client computers whereas smart groups are 
computers that match fields from the database of Information 
stored about each computer. These fields are known as 
Infomiation Items and a full listing of them can be found by 
clicking on Information items under the Window menu of 
Absolute Manage Admin. 

By default, Absolute Manage comes with Smart Groups for 
Macs Only and PCs Only, as well as a group lor All Computers. 
To create either type of group, click on Computers using the 
Window menu and then use the cog^'heel at the lower left of 
die screen to select New Group... or New Smart Group... For 
the purposes of this example, well create a Smart Gni up that 
looks at all computers that wure installed with a Computer 
Name rnfomiation Item of containing Eng_. Simply click on the 
New Smart Group..* option, type Computer Name (it will 
autocomplete) in the field on the left and then t>pe Eng_ (or a 
name that fits with your organization's naming scheme) in the 
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right hand column. The center field on this screen can be 
changed from "“is’' to “contains, as seen in Figure 4, 
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Figure 4.Creating a Group 

The static groups are often used for managing items 
such as a lab of coniputers; the Smart Groups are far int>re 
flexible. Another aspect of Absolute Manage that provides 
flexibility is Distribution Points, which are locations to place 
packages and images. Every installation will need at least 
one Distribution Point, which can be hosted using a number 
of different methods. Distribution Points host software 
packages, OS patches, and OS images for deployment 
Absolute Manage can also use AFP shares to host OS 
images. Given that this example environment is using 
ExtremeZ-[P, it makes sense to use the directory created 
earlier in this document. 

To create a Distribution Point, use the Window menu of 
Absolute Manage Admin and select Server Center, Then 
click on the cogwheel in the lower left corner of the screen 
and choose New Distribution Point. 'I’he appointed machine 
mu,si have the Absolute Manage Agent installed, 

I Dixtributiooi point aiam* Abw>lvJ!te[>ist_OGl 

Distrlbutijon polntlddrois; 192.1&B.210n2 

! 

I Distribution point poTf 3970 

^ Aisi^ned W toptloo^l); 

. Dfilv when uslgncd to gimup or via IP ran^ 

' Packages root path. /AbiolLit!e_disc 
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[2 Max, doMrnloadt mav b« 

I Distribution point ^ *5 master distribution point 

I Download bendwidth: Gl-iriiit to kitobvtes per second 

! Mirroring: Onty between U:0DAM and 12.00 AM 

' ® ^ ^ 

I 

Figure S.Creating a Distribution Point 

The Absolute Manage Agent is not installed as a part of 
the Absolute Manage Server or the Absolute Manage Admin. 
If an Absolute Manage Server will be the distribution point 
then it will need the Agent installed. The settings for the 
Distribution Point include the following: 

Distribution Point Name: How the Distribution Point 
is referenced in Absolute Manage Admin, 

Distribution Point Address: The IP address or host 
name of the server. 


Distribution Point Port; The port that the 
Distribution Point uses to communicate with other 
Distribution Points and with Absolute Manage Agents. 

Assigned IP Range: IP addresses that will use the 
DLstrihution Point, 

Packages Root Path: The path on the Distribution 
Point where Absolute Manage will store its data. 

Max, Concurrent Downloads: The Maximum number 
of clients that can concurrently use the Distribution Point 
(there is an optional choice to override the maximum). 

Distribution Point Type: Enable a given Distribution 
Point as the Master Distribution Point, or the point that 
others synchronize to. 

Download Bandwidth: Throttle bandwidth for the 

host. 

Mirroring: Configure wdien Distribution Points 
synchronize with the Master Distribution Point. 

For the initial Distribution Point, make sure to provide 
a name^ an address, a root path and .set it to be a Master 
Distribution Point. Also, once created, make sure to choose 
the groups that can use the new^ Distribution Point. When 
satisfied with the settings^ click on OK to save and complete 
the initial Distribution Point. Once Distribution Points and 
groups have been created, it is time to build images, 
packages and other items, that then get stored on 
Distribution Points and assigned to Computer Groups and 
Smart Groups for deployment. 

Building an Image 

Absolute Manage Admin has a fairly easy interface 
compared to how complicated some of the tasks that can ht^ 
performed are. In this section, w'e will look at in.stalling the 
Absolute manage Agent on clients and look at reinstalling 
systems when operating systems become corrupt, new 
updates are released and when systems get refreshed. This 
process is traditionally referred to as imaging. However, 
Absolute Manage is not an imaging solution in the 
traditional sense of an imaging solution. 

An image is a compressed disk image file (,dmg) that 
has been prepared with w'hat is similar to a clone of an 
operating system, any applications that are required for the 
image and then a cleansing process of sorts, which ailow's 
the image to be deployed to systems other than the one that 
the Image was prepared on. 

Agent Deployment 

Applications can be deployed on an image; however, 
keeping track of what is on computers can then be difficult. 
When using a tool such as Absolute Manage to handle 
software distribution, the image can be a simple operating 
system installation, along with either SSH or tlie Absolute 
Manage Agent, Once the client computer is registered to the 
server all software can be deployed in an automated, 
modular fashion. 
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When imaging client computers that have been 
prepared with the Absolute Manage Agent, the Agent will 
need to be customized prior to creating an image. To do so^ 
locate the /Library/Preferences/com.poleposition- 

sw.lanrev_agent.plist file, which can be edited with standard 
defaults commands. Additionally, if a package will be 
installed as a post-installation process, the 
Contents/Resources/DefaultDefaults.plist file can be 
customized to push specific settings to clients. For more 
information on customizing the Absolute Manage Agent 
during deployment, such as the keys and options for each 
key, see hftp://macte.ch/LRA. Custom installation packages 
can also be generated automalically by using the Windows 
menu and then accessing the Agent Deployment Center's 
Export Custom Agent feature. 

Once the agent deployment has been finished, test 
sending a command to the client using the options under 
the Commands menu of Absolute Manage Admin. Here it is 
possible to copy files, send messages, reset power settings, 
install packages, send scripts and do a number of other 
tasks. Apple Remote Desktop has much of this same 
functionality; however, Absolute Manage performs far more 
tasks and allows administrators to do so in a t^r more 
Ilexible and object oriented fashion. 

Preparing a disk image to be used with asr, it is best to 
use System Image Utility, InstaDMG, DeployStudio or 
another tool specifically designed Ibr imaging tjperaiing 
systems. Those images can then be imported into Absolute 
Manage for future live re-imaging of Mac OS X. 

Deploying Images with ImageLive 

Let’s repeat that: “live re-imaging” means reimaging a 
computer while a user is wmking, Clients can be upgraded 
from Mac OS X 10.5 to 10.6, with cu.stomizable alerts to 
inform the user about as much (or as little) as is desired and 
administrators can choose what data is retained, Once the 
installation is complete, the user w'ill reboot into the newly 
installed environment and any post-flight activities 
performed. The feature is called ImageLive and in order to 
be used the image wall need to be added to the Absolute 
Manage Server using the Absolute Manage Admin. To do so, 
open Absolute Manage Admin and then, using the Windows 
menu, choose Server Center From Server Center, control- 
click (or right-click if you can) on Mac OS Disk Image and 
click on the New Disk Image.., option under Software 
Distribuiion. A screen (Figure 6) will then prompt for an 
image name and provide a Select... button to browse to the 
image. Optionally, there is also a Disk Image Password field 
for environments that password protect images. When 
satisfied with the settings, click on the OK button to commit 
the new image into the server, triggering an upload to the 
Distril’)ution Point. 



Figure 6,lmpoitinga Disk Image 


Once created, a Command can be sent to a client to re- 
image, either at the lime the command is sent or on a schedule. 
To send a Disk Image to a client computer, use the Server 
Center and select the computer or group that will be reinstalled. 
Then click on the Reinstall Mac OS X Computer command 
from the Commands menu. 



Figure 7. Re installing a Computer 


Tlie Rein.siall Mac OS X Computer screen will then 
open. Here a source, lai^et and settings will need to be 
selected. The .source drop-down menu will show a list of 
available images that can be used for Software Distribution. 
For environ ment.s that do not have multiple Distribution 
Points, an image hosted on an ExtremeZ-IP based DFS AFP 
share can also be used as a source. This flexibility helps 
w^hen transferring large Files (images t>"pically start at 7 and 
go upwards of 40 Gigabytes). The target is typically going to 
be a Startup volume. There are also options to preserve user 
folders, local accounts, directory services bindings (e.g. - 
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Active Directory) and the Absolute Agent. Pre-flight and 
post-flight scripts can also be selected and selecting multiple 
computers will deploy the image to systems concurrently 
Click Execute and the client systems will start reimaging, 
providing the end user with a customizable message as to 
what is occurring. 

Software Distribution and Patch 
Management 

Absolute Manage can push out most software packages 
natively. Supported file formats include .mpkg, .pkg, .dmg, 
.msi, and ,exe. Missing Mac OS X and Windows OS patches 
are automatically detected and downloaded to the 
Distribution Point For review^ Patches are only downloaded 
once for bandwidth conservation, A package is a set of files 
and instructions to be carried out during installation. 
Because not all software installers can be deployed natively, 
Absolute Manage come.s bundled with Absolute Manage 
InstallEase, a lightw^eight, straightforward packaging took 
Packages created in lasiallEase (as well as other packaging 
tools) are then uploaded onto Distribution Points through 
the Absolute Manage Sender and assigned to groups of 
computers. Packages from Apple Software Updates can also 
be synchronized automatically to Distribution Points, 
meaning administnuors do not need to keep separate 

systems to handle Apple updates. 

Packaging Installers 

Absolute Manage InstallEase allows adniinistrators to 
build packages quickly and easily using a "snapshot/’ which 
captures the state of a system before and after an installer 
and then create,^ a package based on the delta between the 
Iwo. InstallEase also goes a step further and also allows for 
"manual” package creation, ff}r packages that are not as 
cookie-cutter as the ones built using the snapshot option. 

To create a snapshot package, simply open the 

^nstallEa^se application and then click on the radio button for 
Automatically. At the Snapshot Source screen, eitlier scan 
the entire hard drive, or if you know that changes will only 
he made in a couple of given folders, add them using the 
Eoklers: option to make scanning faster Next, click on the 
Take Snapshot button to scan the file system. Once 

scanned, run the installer that is required or perform the 
necessary tasks to create the package. Then click on Take 
Snapshot again. When the scan is complete, the Snapshot 
Data screen will then show' all of the files and the 

permissions that those files wall have in the package that is 
created. Here, remove any extraneous files and then click on 
the Continue button to move to the Create Package screen. 
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Figure S.Creating a Package with Absoiute Manage instaiiEase 


At the Create Package screen, choose the Format that 
the package should have. InstallEase also has the ability to 
create packages that install files into the current users home 
folder, comes with an extensive list of filters and can make 
uninstaller packages along with the initial installation 
packages. To create a package that wull remove the items, 
check the box for “Uninstaller package for Apple Installer". 
At the Create Package screen, it is also possible to create an 
Iceberg project, which can then be imported into Iceberg for 
even more options. Iceberg is available at: 
hftp://s.sudre.free.fr/Software/lceberg .html. 

Managing packages 

As previously mentioned, Absolute Manage allows an 
administrator to deploy standard packages. Custom objects 
that are deployed to clients are referred to as Payloads in 
Absolute Manage Admin. Payloads can include disk images 
(.dmg), package installers (.pkg) and metapackages 
(.mpkg). To upload a package that was created using 
AhsoluteManage InstallEase into the Payload repository, 
open Server Center (using the Window menu in Absolute 
Manage Admin ) and click on Payloads in the sidebar. Here, 
right-click (or control-click) on the Payloads icon and New 
Payload.,, from the Software Distribution list. 
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Figure 9.Creatmg a Payload 


Provide a name for your new Payload and then use the 
Select,*, hutton to select die package file that was previously 
created, Click OK to start the package uploading to the server. 
Once the new file appears in the list of Payloads, click on 
Software Packages. Because it is possible to deploy a number 
of packages to accomplish a given task. Payloads are assigned 
to what Absolute Manage refers to as a Sofm^are Package. 
Payloads can also include files. This gives the ability to have 
multiple payloads assigned to a given automation but also 
allows for even more granular installation options. For example, 
if there are multiple packages of Office 2008 and tlie only 
difference between them is a choices.xml answer file, the 
installation files can be hosted once for Office, plus the different 
choices.xml answer files. Tills saves space on the distribution 
points and prevents mirroring die packages to each distributitm 
point, 

To create a software package, click on the cogwheel icon at 
the Ixirtom of the screen again and then click on New Software 
Package**. In the following example, there are two payloads 
that will be installed: the first of these will deploy the software 
and the second will customi 2 e settings fc^r the stiftware being 
deployed, a typical way of dealing with jnodular sofe^are 
deployment (altliough iJ’ a policy management solution, such as 
Centrify is used in the environment, a practice often liest left to 
the fxilicy management solution). 
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Figure lO.Creatifig a Software Package 


In addition to choosing payloads* Software Packages come 
witli some other exciting options. The Installation Options tab 
provides many of the same features that can be found in Apple 
Remote Desktop and then a few others as well, such as require 
a user to be logged in to iastall, and ask user if the installation 
can am and cache package files. The User Interaction tab is 
used to define wdiat is communicated to users (e.g. - progress) 
liS well as options for users to defer installations and whether to 
restart the target computers. The Installation Conditions tab 
allows administrators to choose which computers can receive 
the sr)ftware title based on the presence of other softvi^are (for 
example, only install an Office update if Office is already 
installed). This functionality is also available by creating Smart 
Groups and using installed software as an Information Item. 
Once all required options have been configLired, click on OK to 
save the package. Clicking on the package in tlie Absolute 
Manage Admin sidebar will then provide checkboxes for each 
group that the package is assigned to, allowing tJie package to 
be deployed to clients in those groups. 

Deploying packages 

Packages can he deployed to clients running the Absolute 
Manage individually and using Computer Groups and Sman 
Computer Groups. When deploying a package to a gi'oup, first 
add all of the computers to the group that will receive the 
package. Once the computers have been added to the group, 
cjpen Server Center from the Window menu of Absolute Manage 
Admin. Then dick on the name of the group in the Server Center 
sidebar. When a group or a computer is selected, dick on the 
Commands menu and choose Install Software Packages*., 
from the menu to bring up the Install Software Packages screen. 

As seen in Figure 11, the Install Software Packages screen 
allows administrators to choose wliich packages will be 
installed. Specific target computers can also be removed and the 
Options button can be used to provide a description of the task 
lieing completed, defer an installation, repeat an iastallaiion 
attempt and wake up computers if needed. 



Figure IhUsing a Computer Group to Deploy a Package 
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Figure llioftware Updates far Mac OS X 


To customize the backup schedule, 
open Absolute Manage Admin, click 
on tlie Window menu and then click 
on Server Settings. From here, there 
will be a 'l>atatee backup” section 
located under the Geneml mb that 
shows the schedule on which backup 
will run (by default I IPM niglitly). On 
a Windows Serv^er, these teckups are 
stored in the c:\Documents and 
Settings\All Users\Application 
Data\Pole Position ScjftwareXLANrev 
Ser\'er. When running Absolute 
Manage Server on Mac OS X, ihe 
backups are stored in 
/lihrary/Application Supporl/lANrev 
Server, 

Summary 


Once Ixigun. tlie status of lasUillations am l>e checked using 
the Installation Status entry' in the Server Center sidelrar. Here you'll 
find a log file, as w'ell as those packages that are currently being 
iastalled, have been iastalled, failed to install were cancelled and 
were deferred. 

Software Update Services 

As mentioned previously In tills ankle, Absolute Manage has 
the ability to replace a Mac OS X Serv^er running tlie Softwaie 
Uptkue Service. Hie concepts iire similar Ix^tw^een tlie products, 
although it is much more stniighiforwanl to rminage softw'are using 
a single tool, mtlter Lli:m rel)nng on multiple totils to do so. Aliscjlute 
Manage Server caches updates from Apple and tlien if client 
computers need the pTatches and ihey^ am present on the Absolute 
Manage Server tlien Apple updates w ill autoinaiically installed 
on tlie clients from tlie Absolute Manage DLstribution Poijils, As 
wdth the Scd'tw'are Update Service in Mac OS X Server, 
administrators can choose which packages to deploy and which 
should not lx sent to client systems. Additiorailly, software upxlates 
aa- available for Mac OS X 10.4, Mac OS X 10.5 and Mac OS X 10.6. 

Tile integration of automiited Soflw^aa* Upxlate nianagement 
along witli patches Irom 3^^ party softwam vendors in the Ibmi of 
custom packages allows lor the nianagement tif all softvvam from a 
centralized pxiint. die Alisolute Manage Setv'er. At this pioint, il Is 
possible to add each software package and automation ased in an 
environment to fully prqiare a Mac OS X client and then manage 
the clients and keep a full inventory of software disfyatched to 
clients using Ahstilute Manage. 

Backing up Absolute Manage Server 

Backing up any critical asset is a must. Once a lot of work has 
gone into building groups, Softw^are Packages, Payloads and 
everytliing else that goes into Alnsoiute manage, the backup of tlie 
Absolute Manage Sender database becomes no different. Wliich is 
why backmp is built into Alisolute Manage and enabled by default. 


For environments that require rack density, Apple’s decision to 
exit the rack-mounted server space is one tliat cannot be 
understated. One of the mtxsi critical aspects of centralized systems 
adminlstnuion is Siiftware distribution, birge imaging frameworks 
can be nin on naxsi any server platfonii imd tliroughout tliis article 
we have show'n how' imagitig can be handled for large numbers of 
systems using an AFP mount hosted by ExtiemeZ-lP. We have also 
shown how^ large patch miinagemeni environments can be 
mainiained using Absolute Manage servers. Ikjtli of whidi can lie 
run cm Microsoft Window's Servers. 

Imaging and paich management is not a simple task, but 
Absolute Manage lakes much of the difficulty out of managing large 
enviKinmenis by putting most of the Uxils that are needed to 
manage softw'are distribution, licensing and settings wathin easy 
reach of Mac OS X systems administrators, no matter whether a 
Windows or a Mac OS X .seiver is prefeiTed, For environments that 
need to scale up and prefer Windows, ExtremeZ-IP offers a 
comprehensive file and printer sharing solution that is also both 
robust and easy to use. 

For more information on Absolute Manage, see 
hrtp://www.Gbsotute.com. For more information on ExtremeZ-IP, 
see http://www.grouplogic.com/products/extrenneZ-IP. 
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Use the resources you already have to easily manage and secure 


Macs in the Enterprise 


The Designer 

Needs her MacBook 
in order to work 
productively and cheerfully 




The IT Director 

Has to keep expenses and 
overhead in line while assuming 
responsibility for Macs 


The CEO 


Expects IT to support his Mac, 
which he uses along with 
his iPhone and iPad 


They can all be happy 
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IT department worries that they'll need additional hardware and training to efficiently manage and secure them. 
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screensaver lockout, file-sharing and other security measures. 
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with their corporate Windows username and password. 











Get Started for FREE 


www.centrify.com/express 


Centrify is a Proud Member of 


Absolute 

Software 


Centrify 


% 

ExtremeZIP 


O Web Help Desk 


Enterprise Desktop 

" ALLIANCE " 















MANAGING YOUR MOBILE 
APPLE DEVICES JUST GOT EASIER 

Our technology is designed to work within a Windows or Mac environment so you can 
use whatever you already have in place. 

And your IT administrators will love you since Absolute Manage MDM can be driven 
using a Mac or a PC. Now everyone on the team can be an Apple iOS4 expert! 

Asset Inventory 

Gather 60+ hardware and software data points and integrate the data into third party 
applications (SCCM, Web Help Desk, etc.) 

Data & Device Security 

Lock a device, clear a password, wipe a device clean, manage and deploy profiles, 
send messages to end users 

Application Management 

Track installed applications, collect data from each device, securely host and deploy 
in-house applications 



Try it yourself! Visit our product evaluation page: 

www.absolute.com/MacTech 


Absolute'Software 

www.absolute.conn 


m' ■ 

: . I ^ 







Absolute Manage 

Mobile Device Management for iOS4 



Absolute"^ 



Absolute's oftwa re 


The absolute best way to track, manage & protect your digital world. 


© 2010 Absolute Sottware Corporation. All rights reserved. Computrace and Absolute are registered trademarks ot Absolute Software Corporation. 


Absolute Software is a Proud Member of 


Absolute 

Software 


Extreme Z-IP. 


Enterprise Desktop 

" ALLIANCE ' 


Centrify' 


Q Web Help Desk 












Mac App Store and the Enterprise 

What the New Mac App Store means 
for the enterprise 

by Greg Neagle, MacEnterprise.org 





MacEnterprise.org 

Mac OS X enterprise deployment project 


Fear and Loathing 


In late October 2010, in its to tlie Mac” event, Apple 
ciemonstr^ited some features of the upcoming Mac OS X 10.7 '"Lion" 
release. Steve Jobs explained tliat some of die features of iOS, 
Apple’s operating system for die iPhone, iPad, and iPod Touch, 
would be making their way 'Irack to the Mac7 

One such foiture Ls tile App Slom. Tlie App Store is a key 
element in the success of the iPhone, iPad and iPod Ttjuch. It 
allows users to easily discover^ pLircliase and insliill applications for 
Apple's mobile devices. Apple announc\%l that a “Mac App Store” 
would be part of Mac OS X 'IJon”, but that it would also be 
available witliin ninety days for Snow' Leopard. 

It was natural for systems administrators to wonder w^hat the 
coming of die Mac App Store would mean for them and their 
organizations. Many questions were raised by the Mac App Store 
announcement. In the demonstration, the pre.senrer chose, 
fiurcliased, downloaded and installed an application without l.ieing 
prompted for administmtive credentials, i’liis seemed to imply one 
of two diings: 

The App Store runs widi special privileges, and can install 
apfis for the user without needing admin credentials. 

Mac App Store applications are installed somewhere the user 
has riglits to modify without elevating privileges — like dieir own 
home direaory. 

As it turns out, neitlier is correct, and die App Store liehaves 
in a way that Ls new' Ibr Mac OS X applicatitms. Well get to dial in 
a bit. But at die time, it seemed possilile that die App Store would 
allow unprivileged users to buy, download and insiall applications. 
This brought up a tew more questions: 

If the download/iastall kx:aUon was within die iLsers liome 
directory, that implied: 

App.s downloaded and installed by one user of a machine 
would not be usable by another user of the same machioe. 

Users with network home directories might run into quota 
issues, or find dieir apps don't behave perfeedy when run from 
their network home 

[f your oiganization backs up user data and/or transfers it from 
a user's old machine to a new one, you would have a whole new^ 
class of "data’’ to worry about. 


If the Mac Apf> Store installed apps in a globally writable space 
ouLside any user's home — something like /Users/Sliaredl/Apps/, 
some of the above issues no longer afiply, but new issues niigjit 
have raised tliek heads: 

Could a user delete an app purchased, downloaded, and 
iusialled by antjtliei user? 

Could a user update an app installed by another user? 

If you migrated kxral user data from a useris old machine to a 
new one, you might he expected to migrate thetr downloaded App 
Store apps, and you might need t() keep track of tliis new location 
to do so. 

A final question - would Apple include MCX controls for the 
Mac App Store, much as they do for iTunes? 

Much of the early speculation and conc:em about the Mac App 
Store was due on a lack of knowledge, Fnteiprise administrators 
,saw the demonstration and added in their experiences with the 
App Store on iOS, ;md developed a ’ w'<irse-case scenario" for how^ 
the Mac App Store would affect them and their organizations. 

A Cloud is Lifted 

On January 6, 2011, Apple released the Mac OS X 10.6.6 
update, and die Mac App Store went live. Finally the questions 
mised by enteqirise administratois could lie answered. And as it 
turned out, much if not all of tlie initial concern was unw^arranted. 
The Mlic App Store gives users of enterpri,se Macs no more 
capal^ilities dian tliey ever had. 

Wily Ls tills? It boils down to one diing: non-admin users are 
required to provide adniinistralive cmdentials tefore tiiey can 
purchase, download or install items from die App Store. It turns out 
tfru die liehavior we saw' in Apple demonstration in October, 
w^here the presenter used the App Store to install a puichased 
application wdthonl being prompted for an adminlstraiive 
password, happens only if the currently logged-in user is an admin. 
Additionally, theres no special location for App Store apps - they 
are installed to the /Applications direaory like almrxst every 
other application on Mac OS X. 
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This means that users in an enterprise environment liave 
exactly the same capabilities that they do now. If they currently 
have admin riglits, the^^ve always l?een able to purcliase, download 
and install software to your machines. The App Store is just anotlier 
(very attractive) avenue, if you have policies against your user 
installing software on macliines owned by your organizatioas, these 
same policies still apply to App Store insmllaiions. 

If you do have admin users, and they do purchase and 
download applications (perhaps against your organization’s 
policies), a feature of die Mac App Store lessens the administmtors 
liurden—the App Store keeps track of all of a user's purchases, and 
allows die user to re-tk>wnlt>ad die apps at any time or onto any 
odier machine diey use. So y{)y as an admin don’t really need to 
wony^ about trying to preserve a user's App Store purchases when 
replacing a users machine. And if the user decides to comply your 
organization's policies and removes the App Store apps, he or she 
can re-download them on his or her home Mac. 

If your users do not have admin rights (a coninion situation in 
enterprise enwonments), they cannot use the App Store to install 
software without providing administrative credentials - thi.s is the 
exact same situation tliey have if they tiy^ to use Apple's Installer or 
most third’-party installers to install sofm^are. So again, nodiing lias 
changed for non-admin users with the intrtxlucdon ol' the Mac Afip 
Store. Enterprise administrators really liiive ntithing new to woiry' 
alx)Ut, You might be perl'ecdy lusuficd in not doing anydiing special 
at all after deploying Mite OS X 10.6.6. On the other liand, you may 
want to lake steps to make die App Store less obvious, ur even 
bkx'k its use in your oiganization. 


Controlling Access to the App Store 

When a user logs in after installing die Mac OS X 10.6.6, the 
App Store icon will appear in his or her Dock, and App Store... 
appears under the Apple menu, replacing die Mac OS X 
Software... item. It's pretty' clear that Apple wants users to quickly 
discover the App Store. If youd like to prevent the App Store from 
being adcled to the Dexk of each user (making it a Ettle less 
obvious), modify^ 

/Library/Preferences/com,apple,dockfixup.plist. 
Spediically, remove the add-app dictionary^; 

<key>add-app</key> 

Carray> 

<dict> 

<key>path</key> 

<striiig> /Applicatians /App Store. a.pp^/ string) 

<key>after</key) 

<string>hegin</string) 

</dict> 

</array> 

It’s also possilile to leniove tlie App Store... item from die 
Apple jiienu, but I don’t recommend die medicxl: it turns out diat 
if you delete the App Store appliaidon from die /Applications 
directory, upon restart, die App Store... item will disappear from 
tile Apple menu. 1 don'i rtx’ommend this, even if preventing all 
access to die App Store application is your gc/al, because y'^ou'll 
need to revisit this after every subsequent update to Mac OS X - a 
future update could easily retum the App Store application to the 
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/Applications menu (and a 10.6-6 or later combo update defuiitely 
would). 

A better way (and die only Apple-supported w^ay) to limit 
access to any application, including the new App Store application, 
is to use MCX or Managed Preferences controls. An introduction to 
MCX is beyond die scope of diis article, but it just so liappens tliai 
there is an excellent txx>k on Managed Preferences co-written by 
MacTech’s Executive Editor, Ed\%^ Marczak and yours tally, IPs 


- \ Applica^taft* ' Widgcto Front Row Legacy 

Managi; 0Nt:vtir Orrce 0 Always 

Stttinsi iffpty to cvTiputtri Krith M»c OS Jt vlO.S ft- later, 

^ Restrict which apphcitions ire Bllowed to launch 

Applications I - 

Disallow a4>f9llcdtftKi& within i.he&e foldefi: 

^Application}/Apo Store, app/ 




AJIow applications within these folder}: 



C 3 


Revest ' Apply > 


Figure 1 - Managing application access via MGC 


called Enterprise Mac Managed Preferences, and is published by 
Apiess. It’s available through Amazon.com, so place your order 
todayl 

Now diat we're done widi tliat piodua placement, a quick liint 
on controlling access to the App Store application using MCX can 
be found in Figure 1. 

Figure 1 shows a preference nianagement pane in Workgroup 
Manager. We’re allowing all applications to launch except 
/Applications/App Store.app/. (In this example, I 
managed tills prei'erence for a ComputerGroup; you could also 
manage this preference for users or groups,) Once applied, if a user 
attempts to launch die App Store application Irom the 
/Applications Folder, lie or she will see a dialog like the one in 
Figure 2. 



Vou don*t have permiistem to use the appU^atton 
■'App Store'*. 

Fur msne infornnatHMi, cofitvt the person who set up your 
account 


Figure 2 - Limiting the use of the App Store 
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Unfortunately, the management as shown here m easy to 
defeat: all a user needs to do Is copy the App Store application to 
their desktop (or any^^here else they can wqite) and run it from 
tliere. You could avoid this by adding other folders from wMch you 
disallow application launches, for example, /Users and 
/Volumes, If you already have these restrictions in place, you are 
in good shape. If you c'an’t or shouldn’t prevent applications from 
running from places like /Users and /Volumes, then preventing 
just /Applications/App Store,app is more of a guideline 
than a liard enforcement tactic. 

The App Store for Enterprise 
Software Deployment 

It wasn't long after die Mac App Store launched before 
people staned wondering about potentially using the Mac App 
Store to distribute software in enterprise environments. 

My take: don’t hold your breath. Tlie App Store as 
currently designed is end-user focused. There's no concept of 
site or enterprise licensing for app purchases, and w^hile it 
might be technically possible to purchase an app on one 
machine in an o^gani;^ati□^ and download it onto all your 
machines (by providing the same Apple ID), it certainly 
doesn’t meet the terms and conditions of the App Store. For 
years, enterprise administrators hoped Apple would extend 
Software Update Server to support third-party updates, Apple 


Convert dvi to MiniDisplayPort 
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solution available that makes the legacy computers 
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never did. 1 can't imagine that Apple will ever extend tlie Mac 
App Store to support enterprise deployment, either. 

One area of concern to keep in mind: currently you can 
buy some of the iLife and all of the iWork apps on the Mac App 
Store. This is a great development for home users who may 
want only one or two of the apps included in the suites, and 
is a new, convenient way to buy these apps, The ilife and 
iWork suites are still available on physical installation media 
and in a format suiuible for enterprise deployment tools. But if 
in the fumre, Apple makes the ilife and iWork apps available 
(3nly from the App Store, it will be very difficult for large 
organizations to deploy these tools. You may want to let your 
Apple representatives know that it is important for these tools 
to remain availalile outside of the App Store as well. 

The App Store for System 
Administrators 

But that doesn't mean the App Store is useless except for 
home users. Tools of interest to systems adminisiraCors have 
already started to appear in the Mac App Store. A great 
example is Lingon. This is a GUI editor for latmchd plisis, last 
summer, Peter Borg, lingon's developer announced he was 
ceasing development t3f lingon and some other tools, saying 
he didn't ""have the time to spend on the applications that they 
deserve”. 

But with the Mac App Store, Peter has restarted 
development of lingon and Smultroii, his text editor 
application. I suspect the prospect of making a little money off 
his hard wx>rk (each app sells for $4.99) may have mt)tivated 
Peter to once again find the time to spend on tliese apps. It 
seems likely that other developers may now find the 
motivation to create more tools of interest to systems 
administrators. Other tools available on tite App Store that 
might be of interest to systems adininistrators include 
i'ilewTangler'', a file renaming utility; '"Decloner,” a utility for 


finding duplicate files, and even the venerable Stuffit Expander 
for decompressing that archive from 1999! 

Bottom Line 

There’s no need for an enterprise systems administrator to 
fear the App Store. It doesn't give your users any capabilities 
they don't already have. Users without access to administrative 
credentials can't use it to install anything, and users with admin 
rights could already download and iastail applications from 
anywhere on the Internet. 

If your oiganization decides to allow' (or at least turn a 
blind eye to) App Store downloads, you as a systems 
administrator do not need to feel responsible for backing up 
App Store downloads or transferring a user's App Store 
purchases to a new computer. The App Store keeps track of 
users' purchases and allows them to re-dow'nload tlieir apps at 
any time. 

Though it's possible to block access to the App Store 
application, blocking it totally may cause as many issues as it 
prevents, 

And finally, systems administrators may even benefit, as 
there is a new' financial incentive for developers to create tools 
of interest to administrators. In fact, there's nothing stopping 
you from creating and selling your own tools on the App Store! 
So get cracking and make my j(3h easier! 

WW 
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Show Me the Money 


Suggested billing practices for consultants 


by Ronald Gehrmann 


The title of this month's cokimn, lifted from an exchange 
between Tom Cruise and Cuba Gooding, Jr. in the film Jerry 
Maguire, nails the bottom line for a self-employed consultant 
— you’ve done your good work and you need to be 
compensated. And let's not forget how crucial cash flow is 
when you're a sole proprietor. 

As an Apple Consultant, fve seldom worked for 
corporate clients, and never in the long term, so I have no 
experience with arrangements such as retainers, pre-payment 
for blocks of lime, purchase ordei-s, or setting payment terni.s. 

Dealing with home and small-business users occurs at a 
much sSmaller scale. As opposed to a consultant working with 
a handful of large business clients, your income base is 
comprised of many more “small fry clients,” and dealing with 
the sheer number and variety of client situations can be 
challenging. But on the flip side, if you like people, it can be 
a delight to mingle with so many different personalities and 
systems. While there are many different ways of billing home 
users, in this piece Id like to share with you thoughts about 
what works well for me. in the hope you might find it useful. 

The value proposition 

The foundation for a successful client relationship, and 
for getting paid, is when the client feels that Uiey are getting 
enough “bang for their l>uck." Nobt)dy wants to pay for 
something that doesn’t seem “worth it” to them. 

When I receive an initial inquiry by voicemail nr eniaif 
1 explain in my first email response that I can address the 
prospective client’s needs and what my rates are. This way, if 
there'.s any question later on, especially regarding my rate, I 
can always refer back to this written information, rather than 
relying solely on verbal arrangements, ! also briefly describe 
my areas of expertise, opening the door for providing 
services that go beyond their immediate need. 

If a prospective client replies that my rate is too high, it 
doesn't bode well for a good relationship. If at that point “my 
spider sense is tingling," Ill try to recommend a consultant 
with a low^er rate (if I know' of one), or direct them to 
Craigslist or other possible alternatives, and w'tsh tliem the 
best of luck. If it seems that tliis prospect could become a 
long-term client, I may offer them a slighdy discounied 


introductory^ rate in the hope that they 11 be so satisfied with 
my work that they’ll subsequently be willing (perhaps even 
happy!) to pay my regular rate. Knowing which clients to let 
go of and which to keep is an important intuition to hone. 
There are always .surprises, however! Some of my favorite 
long-term clients are ones that initially fell into the category 
of ‘'you couldn't pay me enough to work w'lth this person," 

Depending on the geography, transportation options and 
other aspects of your market, you may %vant to charge for 
travel time. While building my consulting business when I 
lived in coastal New^ Hampshire, serving clients within a 
radius of about an hour's drive, I charged travel time at half 
my hourly rate. 

Working on-site with clients in Manhattan and parts of 
BroDklyn and Queens, where public transportation is quick 
8c easy, I don't charge for travel time, how'ever I do have a 
two-hour minimum for on-site sessions. If people balk, I 
explain that they'd he surprised how quickly two hours can 
fly by (and how' much they can benefit from two hours of 
troubleshooting and/or tuit)ring), and that if they don't use 
up the full two hours, any remaining time is credited towards 
support by phone and remote screen sharing. 

Cash on the barrelhead 

If, during initial contact via phone and email, a 
prospective client seems legitimate, I will tell them that 
payment by check is acceptable. If I have any doubts, HI 
request cash payment for the initial session, with the 
understanding that payment by check will be fine for 
subsequent sessions, 

I also accept payment via credit card (by w'ay of Pay Hal), 
but generally prefer to avoid the hassle of adding the PayPal 
fee on top of my invoice amount, then transferring the 
incoming funds from my “sandboxed” PayPal bank account-to— 
my regular business bank account. 

In any case, I make out an invoice at the conclusion of 
the session and payment is due at that time. 1 write the 
invoice in longhand on a pre-prinled form, and when Tm 
back at my office I enter the details into QuickBooks. This 
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avoids all the administrative overhead of later generating an 
invoice, emailing or snail-mailing it, keeping track of 
receivables, and possibly needing to send out staiements and 
reminders. 

For those home users whom I see multiple times during 
a month, and if I know they 11 pay on rime, I ll extend the 
courtesy of sending them an invoice at the end of the month, 
with payment due on receipt. Because I take great care to 
establish a trusting relationship with my clients, JVe not bad 
any prol^ilems with non-payment. 

Detailed invoices help document 
your services rendered 

To keeping with my effort to educate the client about the 
value of what theyTe paying for, the invoice 1 present at the 
conclusion of a session includes a brief overview of what was 
accomplished, e,g. “iMac and network setup, data migration, 
application updates, tutoring,” If Tm billing a client at the end 
of the month for several on-site and/or remote sessions, I try 
to be even more specific, indicating the date of each session 
and w^hat was accomplished. 

At the end of an on-site session, I always remind the 
client that Vm available to help them over the phone, either 
with or without remote screen sharing software (J use 
Team Viewer; LogMeln is another popular tool). I explain that 
phone/remote sessions are billed at my regular hourly rate, 
pro-rated, with no minimum duration. 

The clock is always ticking 

When a client calls for phone/remote support (either at 
a pre-arranged time, or spontaneously), I remind them at the 
start that theyTe on the ciock, and I let them know at the end 
of the session how tong we worked (T use a timer that’s 
always visible on my screen), and that I'll be adding that 
amount to my invoice at the end of the month, or at our next 
on-site session, whichever comes first, 

Occasionally, Fll come across someone who chafes at 
being charged for lime on the phone. Yes, sometimes you 
actually have to “paint them a picture/ I explain that they 
have called with an issue or question that needs to be 
resolved, and that they have called me because of my 
expertise, and that after 1 provide the solution to their 
problem, why would they possibly assume this would be a 
freebie. 

My time is my service. 1 do not sell hardw^are, and cannot 
“throw^ in" free phone support. Offering my expertise is how 
I earn a living. If I am giving away my time for free, I'm not 
putting food on my table. Furthermore, if one client expects 
me to w^orking with them for free, I'm not able to use that 
time to work w^ith a paying client. 

Occasionally Fve gotten a semi-snarky comment that 
with by billing phone rime “you’re just like a lawyer," and if 
that analogy helps tliem understand the concept, that's just 
fine. 
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Eliminate Font Problems and Support Calls 
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professional font manager, we recommend only FontAgent® Pro. Jt turns us 
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making sure that fonts remain healthy and operate at peak performance." 



"FontAgent Pro^" and Smasher™ virtually eliminate the 
support calls we used to get with other font managers. 
And if there is a question that we don't have the answer 
for, Insider's support is top notch. They make us look great 
to our customers so they keep them coming back to 
us for other solutions." 
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To be sure, if Vm working with clients on a long-term 
basis, I’m flexible and will at my discretion throw in some on¬ 
site or remote support time at no charge. It all depends on 
the relationship IVe developed with a specific client. 

Why should I pay for this? 

Who among us consultants hasn't run into a situation 
w^here youVe banged your head against a problem for an 
hour or more, and despite all your expertLse and resources, 
you can’t fix it. This is not your fault — due to circumstances 
beyond your control, the hardware or software problem 
cannot be resolved. How do you deal with billing a client 
when at the end of the session, they are .still at square one? 

The best way to avoid a situation like this is through 
early prevention and detection, i.e. based on your expertise 
and comfort level in stretching your envelope, only take on 
clients and jobs where you don't see major red flags. 

That said, the unexpected can and will occur. Some 
consultants have a written contract/waiver to cover situations 
like this, but JVe never used such a document Instead, w^hen 
going into a situation that may not turn out 100% successful, 
I tr>^ to manage the client’s expectations beforehand, verbally 
and by email. For example, '‘We don't know why your Mac 
isn't booting, but J can try specific diagnostics and 
troubleshooting techniques that within a short time w'ill either 
fix your Mac or let us know that deeper expertise and/or 
hardware repair is required. But even if we're unsuccessful, 
ril need to bill you for my time diagnostics." 



Another key strategy is to not proceed too far down the 
rabbit hole of troubleshooting without apprising the client of 
the situation. Instead, for example, spend half an hour on a 
first round of efforts and explain what’d need to be dcme 
next, and how’ much time it might take. A client who has 
approved work beforehand is more likely to pay for that 
work, than one who is asked after the fact to pay for several 
hours of work they didn’t even know was necessary. 

Month-end bookkeeping and 
follow-up 

By the end of the month, the bulk of my billing is already 
complete, because most clients were invoiced, and payment 
was received, at the end of each session. What remains at the 
end of the month is for me to tally up my timesheets for 
clients with whom I've worked remotely, or those I’ve agreed 
to bill at the end of the month. Based on the timesheets, I 
create invoices (with semi-detailed, line-item descriptions of 
services rendered) in QuickBooks and email them to my 
clients, noting in the subject line: “Metro MacSupport - 
December invoice - due on receipt - PDF attached." 

A couple of weeks later, I re-send the invoice to any 
stragglers, making a note on the invoice so that I can 
document when I followed up. 

Building relationships, building 
value 

For consultants working with individual users at home 
and in small businesses, I cannot overstate the importance of 
forging relationships based on trust and mutual respect. It can 
be rew'arding to build that direct connection with a home 
user, without third parties that might be involved when 
working in a corporate setting. 

Open lines of communication are key to maintaining 
good client relationships. If you're clear about the value of 
your work, and can achieve success most of the time, the 
home user will be happy to pay you for your semces, as 
they’ll want to ensure your willingness to work with them 
w'hen they need you in the future. 
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Keith Alpeiin 

Helium Foot Software 
http://www.heliumfoot.com 

What do you do? 

rm the founder, GTQ, CMC. COO, CEO and CIO (Chief 
Janitorial Officer) of Helium Foot Software, which I started in 
2007, 

As my title{s) imply, I do ju.st about everything! 1 hire 
contractors (designers, copy writers, etc J as needed, hut for the 
most part, it’s a one man shop, Like a lor of indies, Helium Foot 
has two practices: product development and consulting. 

While Tve always fancied myself as a product auteur (or at 
least an impresario) tlie truth is that consulting is really what 
keeps the lights on. At SecondConference tliis past fall, there 
was a lot of disaission about what it means to be an ''indie'f 
Since then, I've been a lot more zen about my current place in 
the mac-o-verse and I’m Ibcusing a lot more on my consulting 
practice this year. 

How long have you been doing what you do? 

1 grew up in a house with computei s. My dad use to bring 
home dinnh terminals hack in the 70s (complete with telex 
“displays" and acoustic coupler madems. ) I wrote my first game 
with my best friend in 1984. We were 9 and 10. We wrote it in 
mbasic5 ^)n a cp/m based Vector Graphic 4, It was called 
“Haunted Mansion” and tefore you label us prodigies, you 
should know that tlie entire game was implemented as giant 
tree of conditionals, 

Fast“forward to 1996 and 1 had just graduated from college 
with a degree in molecular biology. Since my biology 
experiments always failed, I needed to find another line of 
w^ork. The Internet was starting to explode so I took my degree 
in laiology, my (very^ heavy) HTML reference book and my 60- 
watt smile into a job inteiwiew and emerged with a gig as a 
webmaster, 1 really came up through the web ranks and started 
to make the jump to the Mac in the year or so before I started 
the company. 

What was your first computer? 

Our first real computer was a Vector Graphic 4 
(http://WWW.vintage<:ompufer,com/vector4.shtml) which my dad 
brought home in 1982. He was a software engineer (he even 
studied computers at MIT before they had a computer science 
major) so we were definitely ahead c)f the home computer 
curve. We of course played games on it. We used its word 
processor (MemoWrite, a pn)gnini so obscure that google 



seems to have never heard of it. ) Most importantly though, i 
started programming on it. My dad bought a book on BASIC 
that he read with us and we did the examples together. I was 
a little to young to really get the concept of variables and 
subroutines; but I could make it print a lot of lines of “KEITH 

IS awesome; 

What is the advice you'd give to someone trying to get 
into this line of work today? 

Just startl I spent a long time as a son of cocoa dabbler 
who thought a lot about writing an app and starting a 
business. 1 read this quote from Daniel Jalkut of MarsEdit fame 
and it really inspired me (hat tip to Gus Mueller for posting it 
on his bldg: http://gusmueller,com/blog/archives/2007 
/02/donieLialkuLon„mocsb,hNTil): 

Therefore my advice and personal strategy is: 

1. Just start. If you’re dreaming of an app, stop dreaming, 
pick your self up from wherever you are right now and sit 
down in front of your Mac. With the advent of the App 
Stores, ifs never loeen easier start up your own software 
outfit and focus entirely on your product (rather than 
worrying alx)ut web stores and serial numbers,) Find the 
time and start jiiaking something. 

Where can we see a sample of your work? 

My Mac jiiroducLs can be dt^wnloaded from my site 
at http://www.heliumFooicom and Grocery List for iPhone is 
avaliable at http: //ku nes.appIe.com /app/grocery1 1 sFthe^astesF 
WQy/id352712665?mt"8, 

r also released some of the GroceryList source code 
a l h ftps: // b rtbucket.org/ ko Iper i n/ h fu i kit 


if you or someone you know belongs m the MatTedi Spotbght, kt us 
know! iend detaSs to e^orir^nattedifom 
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, Mac shopping made easy. 

Grab that to-do list, and prepare for some one-stop shopping at 
i Smalldog.com! 

L Bundles simplify the buying process 

Mac bundles (think Mac + RAM + AppleCare + external hard drive, etc.) 

* not only include everything you need, but also save you money. 

Visit » Smalldog.com/speciaIs 

Macs Tom under $500 

We carry all current Macs as well as used, refurbished and closeout 
models, so there is a Mac for any budget. 

Visit » Smalldog.com/macs 
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Free shipping over $200 

It’s true-we provide free, same-day ground shipping on every item over 
$200 every day. 


Tax-free shopping 

Purchases outside of Vermont are 
always shipped tax-free. 


1 V MacSook Pro + 
Chill Pill® mobile speakers 





Small Dog 

Eiecfronics 

2>S ^our Ode 


www.smalldog.coin 

800'511'HACS 

il Apple Specialist 
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Celebrating 15 Years • 3rd Largest Apple Specialist in New England - 5‘Star Merchant Rating * Same-day shipping 
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APPLICATION DEVELOPMENT FOR HUMANS 


Join the Web 3.0 revolution and create 
tomorrow's web applications. 


With REAL Studio Web Edition you can create quality, powerful web 
applications without having to learn multiple web technologies like 
HTML, CSS, JavaScript, AJAX, PHP or Java and you can develop 30 to 
50 times faster. 

www.realsoftware.coni/web 


MacTech customers get 15% off new license keys 
just use coupon code" MacTech" though February. 

















